Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Serflog.A, Sumom.A, IM-Worm.Win32.Sumom.a, W32/Crog.worm, W32/Sumom-A, WORM_FATSO.A
Type:Worm 
Size:17,429 Bytes 
Origin: 
Date:03-10-2005 
Damage: 
VDF Version:6.30.00.22 
Danger:Low 
Distribution:Medium 

General DescriptionAffected platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows 2000
* Windows 2003 Server
* Windows XP

DistributionThis virus spreads itself through file-sharing networks or MSN Messenger.

It sends a copy of itself to all the contacts in MSN Messenger using one of the following filenames:

Crazy frog gets killed by train!.pif
Annoying crazy frog getting killed.pif
See my lesbian friends.pif
My new photo!.pif
Me on holiday!.pif
The Cat And The Fan piccy.pif
How a Blonde Eats a Banana...pif
Mona Lisa Wants Her Smile Back.pif
Topless in Mini Skirt! lol.pif
Fat Elvis! lol.pif
Jennifer Lopez.scr

It copies itself to the following folders for peer-to-peer network-sharing:

%\My Shared Folder\Messenger Plus! 3.50.exe
%\My Shared Folder\MSN all version polygamy.exe
%\My Shared Folder\MSN nudge bomb.exe
%UserProfile%\Shared\Messenger Plus! 3.50.exe
%UserProfile%\Shared\MSN all version polygamy.exe
%UserProfile%\Shared\MSN nudge bomb.exe
%ProgramFiles%\Program Files\eMule\Incoming\Messenger Plus! 3.50.exe
%ProgramFiles%\Program Files\eMule\Incoming\MSN all version polygamy.exe
%ProgramFiles%\Program Files\eMule\Incoming\MSN nudge bomb.exe

Technical DetailsThe virus tries to add the following registry entries to get executed every time the system starts:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"value"="filename" (look to INFORMATION section)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"value"="filename" (look to INFORMATION section)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"value"="filename" (look to INFORMATION section)

[HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run]
"value"="filename" (look to INFORMATION section)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"value"="filename" (look to INFORMATION section)

The "value" could be:
serpe
ltwob
avnort

and "filename" is the name of one of the following files(copies of itself):

%SystemDIR%\formatsys.exe
%SystemDIR%\serbw.exe
%WinDIR%\msmbw.exe

To ensure itself that the user won't be able to use System Restore feature adds the following registry values:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig" = "0"
"DisableSR" = "0"

The worm also tries to terminate some processes hat has been executed using the following executable files:

apvxdwin.exe
atupdater.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avconsol.exe
avengine.exe
avsynmgr.exe
avwupd32.exe
avxquar.exe
bawindo.exe
blackd.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
ccpxysvc.exe
cfiaudit.exe
cmd.exe
defwatch.exe
drwebupw.exe
escanh95.exe
escanhnt.exe
firewall.exe
frameworkservice.exe
icssuppnt.exe
icsupp95.exe
luall.exe
lucoms~1.exe
mcagent.exe
mcshield.exe
mcupdate.exe
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
msconfig.exe
msdev.exe
navapsvc.exe
navapw32.exe
nisum.exe
nopdb.exe
nprotect.exe
nupgrade.exe
ollydbg.exe
outpost.exe
pavfires.exe
pavproxy.exe
pavsrv50.exe
peid.exe
petools.exe
regedit.exe
reshacker.exe
rtvscan.exe
rulaunch.exe
savscan.exe
shstat.exe
sndsrvc.exe
symlcsvc.exe
taskmgr.exe
Update.exe
updaterui.exe
vpupd.exe
vshwin32.exe
vsstat.exe
vstskmgr.exe
w32dasm.exe
winhex.exe
wscript.exe

It also modifies the <%sysdir%>\drivers\etc\host file to redirect all user connections to the following servers:

www.symantec.com
www.sophos.com
www.mcafee.com
www.viruslist.com
www.f-secure.com
www.avp.com
www.kaspersky.com
www.networkassociates.com
www.ca.com
www.my-etrust.com
www.nai.com
www.trendmicro.com
www.grisoft.com
securityresponse.symantec.com
symantec.com
sophos.com
mcafee.com
update.symantec.com
liveupdate.symantecliveupdate.com
viruslist.com
f-secure.com
kaspersky.com
kaspersky-labs.com
avp.com
nai.com
networkassociates.com
ca.com
mast.mcafee.com
my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
grisoft.com
sandbox.norman.no
www.pandasoftware.com
uk.trendmicro-europe.com
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .