[virusinfo] W32/Sumom-C

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: virusinfo@xxxxxxxxxxxxx
  • Date: Thu, 17 Mar 2005 10:31:28 -0800

From; Sophos Alert System:

Name: W32/Sumom-C
Aliases: M-Worm.Win32.Sumom.c
Type: Win32 worm
Date: 17 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Sumom-C can be found at:
http://www.sophos.com/virusinfo/analyses/w32sumomc.html

W32/Sumom-C is an instant messenger and P2P worm. 
W32/Sumom-C copies itself to the files CSNSS.EXE and MCSV.COM in the Windows 
system folder, SVHOST.EXE in the Windows folder. 
W32/Sumom-C sets entries at the following locations in the registry so as to 
run these copies of itself on system startup with the name "SDAv" or "NDAv": 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
W32/Sumom-C will also set the following registry entry to ensure it is start on 
user login: 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit C:\WINDOWS\System32\userinit.exe,
<Path to copy of self in Windows system folder> 
W32/Sumom-C copies itself to the following filenames in the root folder which 
it attempts to send via the Microsoft Windows Messenger to members of the 
infected user's contact list: 
Best_Friend.scr
Bungee-Fuck.pif
Death of crazy frog!.pif
Hot babe!.pif
I_love_you.123greetings.com.com
Me at the Beach!.pif
My piccy.pif
Paris Hilton Sex Tape.pif
Really Cute.pif
Saddam Song!.pif
Shoot Bill Gates!.exe
lol Busted Are Gay!.pif 
W32/Sumom-C also copies itself to the following folders: 
My Shared Folder
Program Files\eMule\Incoming
Documents and Settings\<uasername>\Shared 
copying itself to the following filenames so as to spread over P2P networks: 
MSN Avatar Display Pack 1.0.exe
MSN Messenger 7 patch!.exe 
W32/Sumom-C also sets the following registry entries to hinder its removal: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1 
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1 
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1 
W32/Sumom-C terminates a large number processes related to anti-virus and 
security programs, including REGEDIT.EXE, TASKMGR.EXE and MSCONFIG.EXE. 
W32/Sumom-C drops and runs a file called l0ser.Html. This file can just be 
deleted. 
W32/Sumom-C attempts to overwrite the HOSTS file with the following lines, 
preventing access to the websites: 
212.58.240.33 www.symantec.com
212.58.240.33 www.sophos.com
212.58.240.33 www.mcafee.com
212.58.240.33 www.viruslist.com
212.58.240.33 www.f-secure.com
212.58.240.33 www.avp.com
212.58.240.33 www.kaspersky.com
212.58.240.33 www.networkassociates.com
212.58.240.33 www.ca.com
212.58.240.33 www.my-etrust.com
212.58.240.33 www.nai.com
212.58.240.33 www.trendmicro.com
212.58.240.33 www.grisoft.com
212.58.240.33 securityresponse.symantec.com
212.58.240.33 symantec.com
212.58.240.33 sophos.com
212.58.240.33 mcafee.com
212.58.240.33 liveupdate.symantecliveupdate.com
212.58.240.33 viruslist.com
212.58.240.33 f-secure.com
212.58.240.33 kaspersky.com
212.58.240.33 kaspersky-labs.com
212.58.240.33 avp.com
212.58.240.33 networkassociates.com
212.58.240.33 ca.com
212.58.240.33 mast.mcafee.com
212.58.240.33 my-etrust.com
212.58.240.33 download.mcafee.com
212.58.240.33 dispatch.mcafee.com
212.58.240.33 secure.nai.com
212.58.240.33 nai.com
212.58.240.33 update.symantec.com
212.58.240.33 updates.symantec.com
212.58.240.33 us.mcafee.com
212.58.240.33 liveupdate.symantec.com
212.58.240.33 customer.symantec.com
212.58.240.33 rads.mcafee.com
212.58.240.33 trendmicro.com
212.58.240.33 grisoft.com
212.58.240.33 sandbox.norman.no
212.58.240.33 www.pandasoftware.com
212.58.240.33 uk.trendmicro-europe.com 
W32/Sumom-C attempts to terminate certain processes and delete certain files 
relating to the W32/Assiral family of mass-mailing worms. W32/Sumom-C drops 
and, on certain days of the month, will open a message to the author of the 
W32/Assiral worm in a file called "LARISSA you muppet.txt" containing the 
following text: 
'Hello LARISSA, are you out there? You fucking n00b!!!!!!!!
LARISSA you're my bitch! I own your ass you fucking loser! 
'-S-K-Y-'-D-E-V-I-L-' 
Greets, 
N+E+T+D+E+V+I+L' 

This IDE file also includes detection for:

Troj/Multidr-CN
http://www.sophos.com/virusinfo/analyses/trojmultidrcn.html
Troj/Agent-CM
http://www.sophos.com/virusinfo/analyses/trojagentcm.html
W32/Rbot-YK
http://www.sophos.com/virusinfo/analyses/w32rbotyk.html
Troj/Monurl-B
http://www.sophos.com/virusinfo/analyses/trojmonurlb.html
Troj/Banker-BP
http://www.sophos.com/virusinfo/analyses/trojbankerbp.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/sumom-c.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member

Other related posts:

  1. Home
  2. virusinfo
  3. Archive
  4. 03-2005