[virusinfo] W32/Sumom-B

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Thu, 10 Mar 2005 09:08:19 -0800

From; Sophos Alert System:

Name: W32/Sumom-B
Aliases: IM-Worm.Win32.Sumom.a, WORM_FATSO.B, W32/Crog.worm virus
Type: Win32 worm
Date: 10 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Sumom-B can be found at:
http://www.sophos.com/virusinfo/analyses/w32sumomb.html

W32/Sumom-B is an instant messenger and P2P worm. 
W32/Sumom-B copies itself to the files SVOSM.EXE and SYSUP.EXE in the Windows 
system folder, MSMPATCH.EXE in the Windows folder, and to the filename DSM.EXE 
in the root folder. 
W32/Sumom-B sets entries at the following locations in the registry so as to 
run these copies of itself on system startup with the name "AvSer", "DsmSer" or 
"rollbk": 
HKCU\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 
W32/Sumom-B copies itself to the following filenames in the root folder which 
it attempts to send via the Microsoft Windows Messenger to members of the 
infected user's contact list: 
One Eye Granny pic!.pif
Me drunk at The Sea!.pif
Punk lives! lol.pif:
Me love you long time.pif
Me pic.pif
Hillbilly chick lol.pif
Dumb looking goth chick.pif
Hot blonde!.pif
Modelling her new bikini.pif
Crazy japanese man kicks crazy frog!.pif
Funny hitler parody!.pif
My birthday pic!.pif 
W32/Sumom-B copies itself to the file AUTORUN.EXE in the following folder: 
Documents and Settings\<username>\Local Settings\Application Data\
Microsoft\CDBurning\ 
W32/Sumom-B creates the file AUTORUN.INF in the same folder in order to run the 
AUTORUN.EXE copy of itself on startup. 
W32/Sumom-B also copies itself to the following folders: 
My Shared Folder
Program Files\eMule\Incoming
Documents and Settings\<username>\Shared 
copying itself to the following filenames so as to spread over P2P networks: 
MSN Display picture stealer.exe
MSN Messenger 7.exe
MSN Avatar Creator.exe 
W32/Sumom-B also sets the following registry entries to hinder its removal: 
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
0 
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
0 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2 
W32/Sumom-B terinates a large number processes related to anti-virus and 
security programs. 
W32/Sumom-B drops and runs a file called Crazy.Html to the root folder which 
tries to display two graphics files from the web. 
W32/Sumom-B attempts to overwrite the HOSTS file with the following lines, 
preventing access to the websites: 
213.199.154.54 www.symantec.com
213.199.154.54 www.sophos.com
213.199.154.54 www.mcafee.com
213.199.154.54 www.viruslist.com
213.199.154.54 www.f-secure.com
213.199.154.54 www.avp.com
213.199.154.54 www.kaspersky.com
213.199.154.54 www.networkassociates.com
213.199.154.54 www.ca.com
213.199.154.54 www.my-etrust.com
213.199.154.54 www.nai.com
213.199.154.54 www.trendmicro.com
213.199.154.54 www.grisoft.com
213.199.154.54 securityresponse.symantec.com
213.199.154.54 symantec.com
213.199.154.54 sophos.com
213.199.154.54 mcafee.com
213.199.154.54 liveupdate.symantecliveupdate.com
213.199.154.54 viruslist.com
213.199.154.54 f-secure.com
213.199.154.54 kaspersky.com
213.199.154.54 kaspersky-labs.com
213.199.154.54 avp.com
213.199.154.54 networkassociates.com
213.199.154.54 ca.com
213.199.154.54 mast.mcafee.com
213.199.154.54 my-etrust.com
213.199.154.54 download.mcafee.com
213.199.154.54 dispatch.mcafee.com
213.199.154.54 secure.nai.com
213.199.154.54 nai.com
213.199.154.54 update.symantec.com
213.199.154.54 updates.symantec.com
213.199.154.54 us.mcafee.com
213.199.154.54 liveupdate.symantec.com
213.199.154.54 customer.symantec.com
213.199.154.54 rads.mcafee.com
213.199.154.54 trendmicro.com
213.199.154.54 grisoft.com
213.199.154.54 sandbox.norman.no
213.199.154.54 www.pandasoftware.com
213.199.154.54 uk.trendmicro-europe.com 

This IDE file also includes detection for:

Troj/Multidr-CK
http://www.sophos.com/virusinfo/analyses/trojmultidrck.html
Troj/Zonit-E
http://www.sophos.com/virusinfo/analyses/trojzonite.html
Troj/Bancban-BT
http://www.sophos.com/virusinfo/analyses/trojbancbanbt.html
W32/Aimdes-C
http://www.sophos.com/virusinfo/analyses/w32aimdesc.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/sumomb.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Sumom-B

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---