Classification

Category: Malware

Type: -

Aliases: Sumom.A, IM-Worm.Win32.Sumom.a, W32.Serflog.A, Serflog

Summary


Sumom is an IM (Instant Messaging) worm that appeared on March 7th, 2005. This worm spreads using MSN Messenger and P2P (peer-to-peer) networks. It can also copy itself to CD-Rs. The Sumom worm contains a message to the author of Assiral worm.

Removal


The worm makes every effort to protect its files from being removed. To disinfect the worm using F-Secure Anti-Virus please set 'Rename Automatically' disinfection action to On Access Scanner (OAS) and restart a computer. After restart all activated worm's files will be renamed. Then F-Secure Anti-Virus can be instructed to delete the infected files like shown on this page: https://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec... Manual disinfection requires booting a computer to Safe Mode and deleting all the worm's files from a hard disk.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm's file is a PE executable file about 17 kilobytes long packed with Mew file compressor. The unpacked file's size is over 155 kilobytes. The worm is written in Visual Basic.

Installation to system

When the worm's file is run, it installs itself to system. It copies itself as 'msmbw.exe' file to Windows folder and as 'formatsys.exe' and 'serbw.exe' files to Window System folder. The worm then creates a startup key for one of its dropped files:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "" = "%winsysdir%\serbw.exe"   

where <value> can be one of the following:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

Additionally the worm copies itself to the root of C: drive with the following names:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

Also the worm drops the following files to the root of C: drive:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

The 'Message to n00b LARISSA.txt' contains a very rude message to the author of Assiral worm. This message can be opened in Notepad. The 'Crazy-Frog.Html' is opened in a web browser after the worm starts.The worm does not allow to delete its files. If any of its files gets deleted, the worm copies it back to a hard drive after a few seconds.

Spreading via MSN Messenger

The worm is capable of spreading itself in Instant Messages to all MSN Messenger contacts found on an infected computer.

Spreading to P2P networks

The worm attempts to spread in peer-to-peer networks. It copies itself to the 'My Shared Folder', 'Program Files\eMule\Incoming' and 'Shared' folder of a current user under 'Documents and Settings' folder with the following names:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

When someone gets access to these shared folders, downloads and runs any of these files, then his computer becomes infected.

Spreading to CD-Rs

The worm also copies itself as 'autorun.exe' file to the current user's 'Local Settings\Application Data\Microsoft\CD Burning' folder and creates the 'autorun.inf' file that contains instructions to run the 'autorun.exe' file when the media is inserted into a drive. As a result, when a user burns a CD-R, it becomes infected and can infect other computers if used there.

Payload

The worm has a set of payloads. First, it disables System Restore and its configuration option. Then it configures Windows Explorer not to show hidden files. The 'MSLARISSA.pif' file gets deleted (if present) when the worm starts.When active in memory, the worm kills processes with the following names:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

As a result certain security and anti-virus software as well as Windows Task Manager and Registry Editor stop working.Additionally the worm tries to redirect locations of the following websites to the 64.233.167.104 address by modifying the HOSTS file:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

The worm closes application windows if the following strings are found in the window captions:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"