Cart
Win32.Worm.Sumom.A( W32/Crog.worm; Worm_Fatso.A; IM-Worm.Win32.Sumom.a; W32.Serflog.A )
SYMPTOMS: Presence of any of the following files in the system root directory (usually C:\)Crazy frog gets killed by train!.pif Annoying crazy frog getting killed.pif See my lesbian friends.pif LOL that ur pic!.pif My new photo!.pif Me on holiday!.pif The Cat And The Fan piccy.pif How a Blonde Eats a Banana...pif Mona Lisa Wants Her Smile Back.pif Topless in Mini Skirt! lol.pif Fat Elvis! lol.pif Jennifer Lopez.scr Reference to: formatsys.exe serbw.exe msmbw.exe in the Registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run TECHNICAL DESCRIPTION: Win32.Worm.Sumom.A is written in Microsoft Visual Basic and compressed with MEW. This worm propagates via MSN Messenger, sending itself to other users of the instant messaging network. When users download and run the file, the worm drops copies of itself to the root folder (C:\) under the following names:Crazy frog gets killed by train!.pif Annoying crazy frog getting killed.pif See my lesbian friends.pif LOL that ur pic!.pif My new photo!.pif Me on holiday!.pif The Cat And The Fan piccy.pif How a Blonde Eats a Banana...pif Mona Lisa Wants Her Smile Back.pif Topless in Mini Skirt! lol.pif Fat Elvis! lol.pif Jennifer Lopez.scr Copies of the worm are also dropped in the Windows "system" directory as: formatsys.exe serbw.exe msmbw.exe Changes are made to these Registry keys to ensure the worm is activated at startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run To prevent infected users from reverting to an earlier configuration (and thus getting rid of the worm), Sumom.A disables the System Restore feature by modifying the Registry key HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows NT\SystemRestore In an attempt to propagate to any CDs the user burns, two files are dropped in the user's Application Data\Microsoft\CD Burning directory: autorun.exe: a copy of the worm autorun.inf: this file contains the line "OPEN=autorun.exe", instructing the operating system to run the worm from CD Sumom.A also tries to propagate via peer-to-peer networks, by dropping a copy to these folders: My Shared Folder\ Program Files\eMule\Incoming\ (User Profile)\Shared\ The following names are used: Messenger Plus! 3.50.exe MSN all version polygamy.exe MSN nudge bomb.exe The worm scans the computer’s memory for a number of antivirus and debugging tools and attempts to terminate them: avengine.exe apvxdwin.exe atupdater.exe aupdate.exe autodown.exe autotrace.exe autoupdate.exe avconsol.exe avsynmgr.exe avwupd32.exe avxquar.exe bawindo.exe blackd.exe ccapp.exe ccevtmgr.exe ccproxy.exe ccpxysvc.exe cfiaudit.exe defwatch.exe drwebupw.exe escanh95.exe escanhnt.exe nisum.exe firewall.exe frameworkservice.exe icssuppnt.exe icsupp95.exe luall.exe lucoms~1.exe mcagent.exe mcshield.exe mcupdate.exe mcvsescn.exe mcvsrte.exe mcvsshld.exe navapsvc.exe navapw32.exe nopdb.exe nprotect.exe nupgrade.exe outpost.exe pavfires.exe pavproxy.exe pavsrv50.exe rtvscan.exe rulaunch.exe savscan.exe shstat.exe sndsrvc.exe symlcsvc.exe Update.exe updaterui.exe vshwin32.exe vsstat.exe vstskmgr.exe cmd.exe msconfig.exe msdev.exe ollydbg.exe peid.exe petools.exe regedit.exe reshacker.exe taskmgr.exe w32dasm.exe winhex.exe wscript.exe Any window containing one of the following strings is also closed: ADWARE ALERTS ANTI AUTOSTARTED BENIGN BLOCKER BULLGUARD BUSTER CENTER -CILLIN CLEANER Command DESTROY DETECTION DOCTOR EARTHLINK EDITOR ELIMINATE FIGHT Filter FIREWALL FIXING HEAL HELP HUNTER KERIO Kill LABS LIVEUPDATE MALWARE MALWHERE MCAFEE NETCOP NOD32 NORTON PANDA PROMPT PROTECTOR REGISTRY REMOVAL RESTORE SANDBOX SCAN SECURE SECURITY SOPHOS SPYBOT SPYWARE STOPPER SWEEPER TASK TOOL TREND Update VCATCH VIRUS WATCH WORM The worm modifies the HOSTS file, redirecting any of the following URLs to 64.233.167.104 (which is in fact www.google.com): symantec.com sophos.com mcafee.com viruslist.com f-secure.com avp.com kaspersky.com networkassociates.com ca.com my-etrust.com nai.com trendmicro.com grisoft.com securityresponse.symantec.com symantec.com sophos.com mcafee.com update.symantec.com liveupdate.symantecliveupdate.com viruslist.com f-secure.com kaspersky.com kaspersky-labs.com avp.com nai.com networkassociates.com ca.com mast.mcafee.com my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com grisoft.com sandbox.norman.no www.pandasoftware.com uk.trendmicro-europe.com The worm looks for and tries to terminate processes likely to be another piece of malware, Win32.Ariss.B@mm: MSLARISSA.pif CmdPrompt32.pif SP00Lsv32.pif LOVE_LETTER_FOR_YOU.pif It deletes these files, along with other files related to the same malware: WinVBS.vbs MESSAGE_TO_BROPIA.txt On the 1st, 7th, 10th, 19th, 25th, 26th, and 30th day of each month, the worm drops a file titled "Message to n00b LARISSA.txt" containing these lines: Hey LARISSA fuck off, you fucking n00b!.. Bla bla to your fucking Saving the world from Bropia, the world n33ds saving from you! '-S-K-Y-'-D-E-V-I-L-' A harmless HTML file is also dropped to the hard drive. Internally the worm uses a mutex named "-F-u-c-k-‘Y-o-u’" to prevent multiple copies of itself running at the same time. Removal instructions: Use BitDefender to remove the malicious files.ANALYZED BY: Alexandru Pojoga |