W32/Sumom-C

Aliases	M-Worm.Win32.Sumom.c
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Chat programs Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	17 March 2005 13:54:04 (GMT)
Last updated	20 March 2005 11:50:23 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Sumom-C.

More Information

Summary
Action
More Information

W32/Sumom-C is an instant messenger and P2P worm.

W32/Sumom-C terminates a large number processes related to anti-virus and security programs, including REGEDIT.EXE, TASKMGR.EXE and MSCONFIG.EXE.

W32/Sumom-C drops and runs a file called l0ser.Html. This file can be deleted. W32/Sumom-C is an instant messenger and P2P worm.

W32/Sumom-C copies itself to the files CSNSS.EXE and MCSV.COM in the Windows system folder, SVHOST.EXE in the Windows folder.

W32/Sumom-C sets entries at the following locations in the registry so as to run these copies of itself on system startup with the name "SDAv" or "NDAv":

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Sumom-C will also set the following registry entry to ensure it is start on user login:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit C:\WINDOWS\System32\userinit.exe,
<Path to copy of self in Windows system folder>

This, in turn, may also add an entry in either win.ini or system.ini under the Winlogon section.

W32/Sumom-C copies itself to the following filenames in the root folder which it attempts to send via the Microsoft Windows Messenger to members of the infected user's contact list:

Best_Friend.scr
Bungee-Fuck.pif
Death of crazy frog!.pif
Hot babe!.pif
I_love_you.123greetings.com.com
Me at the Beach!.pif
My piccy.pif
Paris Hilton Sex Tape.pif
Really Cute.pif
Saddam Song!.pif
Shoot Bill Gates!.exe
lol Busted Are Gay!.pif

W32/Sumom-C also copies itself to the following folders:

My Shared Folder
Program Files\eMule\Incoming
Documents and Settings\<username>\Shared

copying itself to the following filenames so as to spread over P2P networks:

MSN Avatar Display Pack 1.0.exe
MSN Messenger 7 patch!.exe

W32/Sumom-C also sets the following registry entries to hinder its removal:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoWindowsUpdate
1

HKCU\Software\Microsoft\MSNMessenger
AvEnbl
0

W32/Sumom-C terminates a large number processes related to anti-virus and security programs, including REGEDIT.EXE, TASKMGR.EXE and MSCONFIG.EXE.

W32/Sumom-C drops and runs a file called l0ser.Html. This file can just be deleted.

W32/Sumom-C attempts to overwrite the HOSTS file with the following lines, preventing access to the websites:

212.58.240.33 www.symantec.com
212.58.240.33 www.sophos.com
212.58.240.33 www.mcafee.com
212.58.240.33 www.viruslist.com
212.58.240.33 www.f-secure.com
212.58.240.33 www.avp.com
212.58.240.33 www.kaspersky.com
212.58.240.33 www.networkassociates.com
212.58.240.33 www.ca.com
212.58.240.33 www.my-etrust.com
212.58.240.33 www.nai.com
212.58.240.33 www.trendmicro.com
212.58.240.33 www.grisoft.com
212.58.240.33 securityresponse.symantec.com
212.58.240.33 symantec.com
212.58.240.33 sophos.com
212.58.240.33 mcafee.com
212.58.240.33 liveupdate.symantecliveupdate.com
212.58.240.33 viruslist.com
212.58.240.33 f-secure.com
212.58.240.33 kaspersky.com
212.58.240.33 kaspersky-labs.com
212.58.240.33 avp.com
212.58.240.33 networkassociates.com
212.58.240.33 ca.com
212.58.240.33 mast.mcafee.com
212.58.240.33 my-etrust.com
212.58.240.33 download.mcafee.com
212.58.240.33 dispatch.mcafee.com
212.58.240.33 secure.nai.com
212.58.240.33 nai.com
212.58.240.33 update.symantec.com
212.58.240.33 updates.symantec.com
212.58.240.33 us.mcafee.com
212.58.240.33 liveupdate.symantec.com
212.58.240.33 customer.symantec.com
212.58.240.33 rads.mcafee.com
212.58.240.33 trendmicro.com
212.58.240.33 grisoft.com
212.58.240.33 sandbox.norman.no
212.58.240.33 www.pandasoftware.com
212.58.240.33 uk.trendmicro-europe.com

W32/Sumom-C attempts to terminate certain processes and delete certain files relating to the W32/Assiral family of mass-mailing worms. W32/Sumom-C drops and, on certain days of the month, will open a message to the author of the W32/Assiral worm in a file called "LARISSA you muppet.txt" containing the following text:

'Hello LARISSA, are you out there? You fucking n00b!!!!!!!!
LARISSA you're my bitch! I own your ass you fucking loser!

'-S-K-Y-'-D-E-V-I-L-'

Greets,

N+E+T+D+E+V+I+L'

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sumom-C

Summary

Action

More Information