Home / malwarePDF  

Win32.Worm.Sumom.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Sumom.A is also known as W32/Crog.worm;, Worm_Fatso.A;, IM-Worm.Win32.Sumom.a;, W32.Serflog.A.

Explanation :

Win32.Worm.Sumom.A is written in Microsoft Visual Basic and compressed with MEW. This worm propagates via MSN Messenger, sending itself to other users of the instant messaging network. When users download and run the file, the worm drops copies of itself to the root folder (C:) under the following names:
Crazy frog gets killed by train!.pif
Annoying crazy frog getting killed.pif
See my lesbian friends.pif
LOL that ur pic!.pif
My new photo!.pif
Me on holiday!.pif
The Cat And The Fan piccy.pif
How a Blonde Eats a Banana...pif
Mona Lisa Wants Her Smile Back.pif
Topless in Mini Skirt! lol.pif
Fat Elvis! lol.pif
Jennifer Lopez.scr

Copies of the worm are also dropped in the Windows "system" directory as:
formatsys.exe
serbw.exe
msmbw.exe

Changes are made to these Registry keys to ensure the worm is activated at startup:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

To prevent infected users from reverting to an earlier configuration (and thus getting rid of the worm), Sumom.A disables the System Restore feature by modifying the Registry key
HKEY_LOCAL_MACHINEPoliciesMicrosoftWindows NTSystemRestore

In an attempt to propagate to any CDs the user burns, two files are dropped in the user's Application DataMicrosoftCD Burning directory:
autorun.exe: a copy of the worm
autorun.inf: this file contains the line "OPEN=autorun.exe", instructing the operating system to run the worm from CD

Sumom.A also tries to propagate via peer-to-peer networks, by dropping a copy to these folders:
My Shared Folder
Program FileseMuleIncoming
(User Profile)Shared

The following names are used:
Messenger Plus! 3.50.exe
MSN all version polygamy.exe
MSN nudge bomb.exe

The worm scans the computer’s memory for a number of antivirus and debugging tools and attempts to terminate them:
avengine.exe
apvxdwin.exe
atupdater.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avconsol.exe
avsynmgr.exe
avwupd32.exe
avxquar.exe
bawindo.exe
blackd.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
ccpxysvc.exe
cfiaudit.exe
defwatch.exe
drwebupw.exe
escanh95.exe
escanhnt.exe
nisum.exe
firewall.exe
frameworkservice.exe
icssuppnt.exe
icsupp95.exe
luall.exe
lucoms~1.exe
mcagent.exe
mcshield.exe
mcupdate.exe
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
nopdb.exe
nprotect.exe
nupgrade.exe
outpost.exe
pavfires.exe
pavproxy.exe
pavsrv50.exe
rtvscan.exe
rulaunch.exe
savscan.exe
shstat.exe
sndsrvc.exe
symlcsvc.exe
Update.exe
updaterui.exe
vshwin32.exe
vsstat.exe
vstskmgr.exe
cmd.exe
msconfig.exe
msdev.exe
ollydbg.exe
peid.exe
petools.exe
regedit.exe
reshacker.exe
taskmgr.exe
w32dasm.exe
winhex.exe
wscript.exe

Any window containing one of the following strings is also closed:
ADWARE
ALERTS
ANTI
AUTOSTARTED
BENIGN
BLOCKER
BULLGUARD
BUSTER
CENTER
-CILLIN
CLEANER
Command
DESTROY
DETECTION
DOCTOR
EARTHLINK
EDITOR
ELIMINATE
FIGHT
Filter
FIREWALL
FIXING
HEAL
HELP
HUNTER
KERIO
Kill
LABS
LIVEUPDATE
MALWARE
MALWHERE
MCAFEE
NETCOP
NOD32
NORTON
PANDA
PROMPT
PROTECTOR
REGISTRY
REMOVAL
RESTORE
SANDBOX
SCAN
SECURE
SECURITY
SOPHOS
SPYBOT
SPYWARE
STOPPER
SWEEPER
TASK
TOOL
TREND
Update
VCATCH
VIRUS
WATCH
WORM

The worm modifies the HOSTS file, redirecting any of the following URLs to 64.233.167.104 (which is in fact www.google.com):
symantec.com
sophos.com
mcafee.com
viruslist.com
f-secure.com
avp.com
kaspersky.com
networkassociates.com
ca.com
my-etrust.com
nai.com
trendmicro.com
grisoft.com
securityresponse.symantec.com
symantec.com
sophos.com
mcafee.com
update.symantec.com
liveupdate.symantecliveupdate.com
viruslist.com
f-secure.com
kaspersky.com
kaspersky-labs.com
avp.com
nai.com
networkassociates.com
ca.com
mast.mcafee.com
my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
grisoft.com
sandbox.norman.no
www.pandasoftware.com
uk.trendmicro-europe.com

The worm looks for and tries to terminate processes likely to be another piece of malware, Win32.Ariss.B@mm:
MSLARISSA.pif
CmdPrompt32.pif
SP00Lsv32.pif
LOVE_LETTER_FOR_YOU.pif

It deletes these files, along with other files related to the same malware:
WinVBS.vbs
MESSAGE_TO_BROPIA.txt

On the 1st, 7th, 10th, 19th, 25th, 26th, and 30th day of each month, the worm drops a file titled "Message to n00b LARISSA.txt" containing these lines:
Hey LARISSA fuck off, you fucking n00b!.. Bla bla to your fucking
Saving the world from Bropia, the world n33ds saving from you!
'-S-K-Y-'-D-E-V-I-L-'

A harmless HTML file is also dropped to the hard drive.

Internally the worm uses a mutex named "-F-u-c-k-‘Y-o-u’" to prevent multiple copies of itself running at the same time.

Last update 21 November 2011

 

TOP