From; Sophos Alert System: Name: W32/Sumom-C Aliases: M-Worm.Win32.Sumom.c Type: Win32 worm Date: 17 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Sumom-C can be found at: http://www.sophos.com/virusinfo/analyses/w32sumomc.html W32/Sumom-C is an instant messenger and P2P worm. W32/Sumom-C copies itself to the files CSNSS.EXE and MCSV.COM in the Windows system folder, SVHOST.EXE in the Windows folder. W32/Sumom-C sets entries at the following locations in the registry so as to run these copies of itself on system startup with the name "SDAv" or "NDAv": HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run W32/Sumom-C will also set the following registry entry to ensure it is start on user login: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit C:\WINDOWS\System32\userinit.exe, <Path to copy of self in Windows system folder> W32/Sumom-C copies itself to the following filenames in the root folder which it attempts to send via the Microsoft Windows Messenger to members of the infected user's contact list: Best_Friend.scr Bungee-Fuck.pif Death of crazy frog!.pif Hot babe!.pif I_love_you.123greetings.com.com Me at the Beach!.pif My piccy.pif Paris Hilton Sex Tape.pif Really Cute.pif Saddam Song!.pif Shoot Bill Gates!.exe lol Busted Are Gay!.pif W32/Sumom-C also copies itself to the following folders: My Shared Folder Program Files\eMule\Incoming Documents and Settings\<uasername>\Shared copying itself to the following filenames so as to spread over P2P networks: MSN Avatar Display Pack 1.0.exe MSN Messenger 7 patch!.exe W32/Sumom-C also sets the following registry entries to hinder its removal: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoFolderOptions 1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableConfig 1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR 1 W32/Sumom-C terminates a large number processes related to anti-virus and security programs, including REGEDIT.EXE, TASKMGR.EXE and MSCONFIG.EXE. W32/Sumom-C drops and runs a file called l0ser.Html. This file can just be deleted. W32/Sumom-C attempts to overwrite the HOSTS file with the following lines, preventing access to the websites: 212.58.240.33 www.symantec.com 212.58.240.33 www.sophos.com 212.58.240.33 www.mcafee.com 212.58.240.33 www.viruslist.com 212.58.240.33 www.f-secure.com 212.58.240.33 www.avp.com 212.58.240.33 www.kaspersky.com 212.58.240.33 www.networkassociates.com 212.58.240.33 www.ca.com 212.58.240.33 www.my-etrust.com 212.58.240.33 www.nai.com 212.58.240.33 www.trendmicro.com 212.58.240.33 www.grisoft.com 212.58.240.33 securityresponse.symantec.com 212.58.240.33 symantec.com 212.58.240.33 sophos.com 212.58.240.33 mcafee.com 212.58.240.33 liveupdate.symantecliveupdate.com 212.58.240.33 viruslist.com 212.58.240.33 f-secure.com 212.58.240.33 kaspersky.com 212.58.240.33 kaspersky-labs.com 212.58.240.33 avp.com 212.58.240.33 networkassociates.com 212.58.240.33 ca.com 212.58.240.33 mast.mcafee.com 212.58.240.33 my-etrust.com 212.58.240.33 download.mcafee.com 212.58.240.33 dispatch.mcafee.com 212.58.240.33 secure.nai.com 212.58.240.33 nai.com 212.58.240.33 update.symantec.com 212.58.240.33 updates.symantec.com 212.58.240.33 us.mcafee.com 212.58.240.33 liveupdate.symantec.com 212.58.240.33 customer.symantec.com 212.58.240.33 rads.mcafee.com 212.58.240.33 trendmicro.com 212.58.240.33 grisoft.com 212.58.240.33 sandbox.norman.no 212.58.240.33 www.pandasoftware.com 212.58.240.33 uk.trendmicro-europe.com W32/Sumom-C attempts to terminate certain processes and delete certain files relating to the W32/Assiral family of mass-mailing worms. W32/Sumom-C drops and, on certain days of the month, will open a message to the author of the W32/Assiral worm in a file called "LARISSA you muppet.txt" containing the following text: 'Hello LARISSA, are you out there? You fucking n00b!!!!!!!! LARISSA you're my bitch! I own your ass you fucking loser! '-S-K-Y-'-D-E-V-I-L-' Greets, N+E+T+D+E+V+I+L' This IDE file also includes detection for: Troj/Multidr-CN http://www.sophos.com/virusinfo/analyses/trojmultidrcn.html Troj/Agent-CM http://www.sophos.com/virusinfo/analyses/trojagentcm.html W32/Rbot-YK http://www.sophos.com/virusinfo/analyses/w32rbotyk.html Troj/Monurl-B http://www.sophos.com/virusinfo/analyses/trojmonurlb.html Troj/Banker-BP http://www.sophos.com/virusinfo/analyses/trojbankerbp.html Download the IDE file from: http://www.sophos.com/downloads/ide/sumom-c.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member