W32/Sumom-A

Aliases	IM-Worm.Win32.Sumom.a WORM_FATSO.A
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	7 March 2005 14:34:45 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Sumom-A is an instant messenger and P2P worm. W32/Sumom-A is an instant messenger and P2P worm.

W32/Sumom-A copies itself to the files FORMATSYS.EXE and SERBW.EXE in the Windows system folder, MSMBW.EXE in the Windows folder, and to the filename LSPT.EXE in the root folder.

W32/Sumom-A sets entries at the following locations in the registry so as to run these copies of itself on system startup with the name "ltwob", "serpe" or "avnort":

HKCU\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

W32/Sumom-A copies itself to the following filenames in the root folder which it attempts to send via the Microsoft Windows Messenger to members of the infected user's contact list:

Crazy frog gets killed by train!.pif
Annoying crazy frog getting killed.pif
See my lesbian friends.pif
LOL that ur pic!
My new photo!.pif
Me on holiday!.pif
The Cat And The Fan piccy.pif
How a Blonde Eats a Banana...pif
Mona Lisa Wants Her Smile Back.pif
Topless in Mini Skirt! lol.pif
Fat Elvis! lol.pif
Jennifer Lopez.scr

W32/Sumom-A copies itself to the file AUTORUN.EXE in the following folder:

Documents and Settings\\Local Settings\Application Data\
Microsoft\CDBurning\

W32/Sumom-A creates the file AUTORUN.INF in the same folder in order to run the AUTORUN.EXE copy of itself on startup.

W32/Sumom-A also copies itself to the following folders:

My Shared Folder
Program Files\eMule\Incoming
Documents and Settings\<uasername>\Shared

copying itself to the following filenames so as to spread over P2P networks:

Messenger Plus! 3.50.exe
MSN all version polygamy.exe
MSN nudge bomb.exe

W32/Sumom-A also sets the following registry entries to hinder its removal:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\
DisableSR =
"0"

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\
DisableConfig =
"0"

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\
Hidden =
"2"

W32/Sumom-A terinates a large number processes related to anti-virus and security progams, including REGEDIT.EXE, TASKMGR.EXE and MSCONFIG.EXE.

W32/Sumom-A attempt to download and, on certain days of the month, open a file from http://frog.0catch.com to the file "British National Party.jpg". This file is currently unavailable for download.

W32/Sumom-A drops and runs a file called Crazy-Frog.Html to the root folder which tries to show a JPG picture file from http://frog.0catch.com and also to contact a PHP script at http://udjc.com.

W32/Sumom-A attempts to overwrite the HOSTS file with the following lines, preventing access to the websites:

64.233.167.104 www.symantec.com
64.233.167.104 www.sophos.com
64.233.167.104 www.mcafee.com
64.233.167.104 www.viruslist.com
64.233.167.104 www.f-secure.com
64.233.167.104 www.avp.com
64.233.167.104 www.kaspersky.com
64.233.167.104 www.networkassociates.com
64.233.167.104 www.ca.com
64.233.167.104 www.my-etrust.com
64.233.167.104 www.nai.com
64.233.167.104 www.trendmicro.com
64.233.167.104 www.grisoft.com
64.233.167.104 securityresponse.symantec.com
64.233.167.104 symantec.com
64.233.167.104 sophos.com
64.233.167.104 mcafee.com
64.233.167.104 liveupdate.symantecliveupdate.com
64.233.167.104 viruslist.com
64.233.167.104 f-secure.com
64.233.167.104 kaspersky.com
64.233.167.104 kaspersky-labs.com
64.233.167.104 avp.com
64.233.167.104 networkassociates.com
64.233.167.104 ca.com
64.233.167.104 mast.mcafee.com
64.233.167.104 my-etrust.com
64.233.167.104 download.mcafee.com
64.233.167.104 dispatch.mcafee.com
64.233.167.104 secure.nai.com
64.233.167.104 nai.com
64.233.167.104 update.symantec.com
64.233.167.104 updates.symantec.com
64.233.167.104 us.mcafee.com
64.233.167.104 liveupdate.symantec.com
64.233.167.104 customer.symantec.com
64.233.167.104 rads.mcafee.com
64.233.167.104 trendmicro.com
64.233.167.104 grisoft.com
64.233.167.104 sandbox.norman.no
64.233.167.104 www.pandasoftware.com
64.233.167.104 uk.trendmicro-europe.com

W32/Sumom-A attempts to terminate certain processes and delete certain files relating to the W32/Assiral family of mass-mailing worms. W32/Sumom-A drops and, on certain days of the month, opens a message to the author of the W32/Assiral worm in a file called "Message to n00b LARISSA.txt" containing the following text:

Hey LARISSA fuck off, you fucking n00b!.. Bla bla to your fucking
Saving the world from Bropia, the world n33ds saving from you!

'-S-K-Y-'-D-E-V-I-L-'

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sumom-A

Summary

Action

More Information