Classification

Category :

Malware

Type :

-

Aliases :

Sumom.A, IM-Worm.Win32.Sumom.a, W32.Serflog.A, Serflog

Summary

Sumom is an IM (Instant Messaging) worm that appeared on March 7th, 2005. This worm spreads using MSN Messenger and P2P (peer-to-peer) networks. It can also copy itself to CD-Rs. The Sumom worm contains a message to the author of Assiral worm.

Removal

The worm makes every effort to protect its files from being removed. To disinfect the worm using F-Secure Anti-Virus please set 'Rename Automatically' disinfection action to On Access Scanner (OAS) and restart a computer. After restart all activated worm's files will be renamed. Then F-Secure Anti-Virus can be instructed to delete the infected files like shown on this page: https://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec... Manual disinfection requires booting a computer to Safe Mode and deleting all the worm's files from a hard disk.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm's file is a PE executable file about 17 kilobytes long packed with Mew file compressor. The unpacked file's size is over 155 kilobytes. The worm is written in Visual Basic.

Installation to system

When the worm's file is run, it installs itself to system. It copies itself as 'msmbw.exe' file to Windows folder and as 'formatsys.exe' and 'serbw.exe' files to Window System folder. The worm then creates a startup key for one of its dropped files:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "" = "%winsysdir%\serbw.exe"   

where <value> can be one of the following:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

Additionally the worm copies itself to the root of C: drive with the following names:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

Also the worm drops the following files to the root of C: drive:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

The 'Message to n00b LARISSA.txt' contains a very rude message to the author of Assiral worm. This message can be opened in Notepad. The 'Crazy-Frog.Html' is opened in a web browser after the worm starts.The worm does not allow to delete its files. If any of its files gets deleted, the worm copies it back to a hard drive after a few seconds.

Spreading via MSN Messenger

The worm is capable of spreading itself in Instant Messages to all MSN Messenger contacts found on an infected computer.

Spreading to P2P networks

The worm attempts to spread in peer-to-peer networks. It copies itself to the 'My Shared Folder', 'Program Files\eMule\Incoming' and 'Shared' folder of a current user under 'Documents and Settings' folder with the following names:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

When someone gets access to these shared folders, downloads and runs any of these files, then his computer becomes infected.

Spreading to CD-Rs

The worm also copies itself as 'autorun.exe' file to the current user's 'Local Settings\Application Data\Microsoft\CD Burning' folder and creates the 'autorun.inf' file that contains instructions to run the 'autorun.exe' file when the media is inserted into a drive. As a result, when a user burns a CD-R, it becomes infected and can infect other computers if used there.

Payload

The worm has a set of payloads. First, it disables System Restore and its configuration option. Then it configures Windows Explorer not to show hidden files. The 'MSLARISSA.pif' file gets deleted (if present) when the worm starts.When active in memory, the worm kills processes with the following names:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

As a result certain security and anti-virus software as well as Windows Task Manager and Registry Editor stop working.Additionally the worm tries to redirect locations of the following websites to the 64.233.167.104 address by modifying the HOSTS file:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"
 

The worm closes application windows if the following strings are found in the window captions:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%winsysdir%\serbw.exe"