From; Sophos Alert System: Name: W32/Sumom-B Aliases: IM-Worm.Win32.Sumom.a, WORM_FATSO.B, W32/Crog.worm virus Type: Win32 worm Date: 10 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Sumom-B can be found at: http://www.sophos.com/virusinfo/analyses/w32sumomb.html W32/Sumom-B is an instant messenger and P2P worm. W32/Sumom-B copies itself to the files SVOSM.EXE and SYSUP.EXE in the Windows system folder, MSMPATCH.EXE in the Windows folder, and to the filename DSM.EXE in the root folder. W32/Sumom-B sets entries at the following locations in the registry so as to run these copies of itself on system startup with the name "AvSer", "DsmSer" or "rollbk": HKCU\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run W32/Sumom-B copies itself to the following filenames in the root folder which it attempts to send via the Microsoft Windows Messenger to members of the infected user's contact list: One Eye Granny pic!.pif Me drunk at The Sea!.pif Punk lives! lol.pif: Me love you long time.pif Me pic.pif Hillbilly chick lol.pif Dumb looking goth chick.pif Hot blonde!.pif Modelling her new bikini.pif Crazy japanese man kicks crazy frog!.pif Funny hitler parody!.pif My birthday pic!.pif W32/Sumom-B copies itself to the file AUTORUN.EXE in the following folder: Documents and Settings\<username>\Local Settings\Application Data\ Microsoft\CDBurning\ W32/Sumom-B creates the file AUTORUN.INF in the same folder in order to run the AUTORUN.EXE copy of itself on startup. W32/Sumom-B also copies itself to the following folders: My Shared Folder Program Files\eMule\Incoming Documents and Settings\<username>\Shared copying itself to the following filenames so as to spread over P2P networks: MSN Display picture stealer.exe MSN Messenger 7.exe MSN Avatar Creator.exe W32/Sumom-B also sets the following registry entries to hinder its removal: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR 0 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableConfig 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 2 W32/Sumom-B terinates a large number processes related to anti-virus and security programs. W32/Sumom-B drops and runs a file called Crazy.Html to the root folder which tries to display two graphics files from the web. W32/Sumom-B attempts to overwrite the HOSTS file with the following lines, preventing access to the websites: 213.199.154.54 www.symantec.com 213.199.154.54 www.sophos.com 213.199.154.54 www.mcafee.com 213.199.154.54 www.viruslist.com 213.199.154.54 www.f-secure.com 213.199.154.54 www.avp.com 213.199.154.54 www.kaspersky.com 213.199.154.54 www.networkassociates.com 213.199.154.54 www.ca.com 213.199.154.54 www.my-etrust.com 213.199.154.54 www.nai.com 213.199.154.54 www.trendmicro.com 213.199.154.54 www.grisoft.com 213.199.154.54 securityresponse.symantec.com 213.199.154.54 symantec.com 213.199.154.54 sophos.com 213.199.154.54 mcafee.com 213.199.154.54 liveupdate.symantecliveupdate.com 213.199.154.54 viruslist.com 213.199.154.54 f-secure.com 213.199.154.54 kaspersky.com 213.199.154.54 kaspersky-labs.com 213.199.154.54 avp.com 213.199.154.54 networkassociates.com 213.199.154.54 ca.com 213.199.154.54 mast.mcafee.com 213.199.154.54 my-etrust.com 213.199.154.54 download.mcafee.com 213.199.154.54 dispatch.mcafee.com 213.199.154.54 secure.nai.com 213.199.154.54 nai.com 213.199.154.54 update.symantec.com 213.199.154.54 updates.symantec.com 213.199.154.54 us.mcafee.com 213.199.154.54 liveupdate.symantec.com 213.199.154.54 customer.symantec.com 213.199.154.54 rads.mcafee.com 213.199.154.54 trendmicro.com 213.199.154.54 grisoft.com 213.199.154.54 sandbox.norman.no 213.199.154.54 www.pandasoftware.com 213.199.154.54 uk.trendmicro-europe.com This IDE file also includes detection for: Troj/Multidr-CK http://www.sophos.com/virusinfo/analyses/trojmultidrck.html Troj/Zonit-E http://www.sophos.com/virusinfo/analyses/trojzonite.html Troj/Bancban-BT http://www.sophos.com/virusinfo/analyses/trojbancbanbt.html W32/Aimdes-C http://www.sophos.com/virusinfo/analyses/w32aimdesc.html Download the IDE file from: http://www.sophos.com/downloads/ide/sumomb.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member