wipe-deletion-erasure-purge


IM-Worm.Win32.Sumom.a

IM-Worm.Win32.Sumom.a

CyberScrub AntiVirus
Research Bank

This worm spreads via MSN in the form of a link to an infected file. The worm file is packed using several packing programs, and is approximately 17KB when packed. The unpacked file is approximately 155KB in size.

Installation

The worm copies itself to the Windows directory under one of the following names:

formatsys.exe
lspt.exe
msmbw.exe
serbw.exe

The copied file will be assigned a "hidden" attribute, making it invisible to the majority of users.

The worm then registers itself in the system registry under one of the following names:

avnort
serpe
ltwob

in the following locations:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

It changes the %WINDIR%\System32\Drivers\etc\hosts file to block access to the sites of antivirus companies from the infected computer:

64.233.167.104 avp.com
64.233.167.104 ca.com
64.233.167.104 customer.symantec.com
64.233.167.104 dispatch.mcafee.com
64.233.167.104 download.mcafee.com
64.233.167.104 f-secure.com
64.233.167.104 grisoft.com
64.233.167.104 kaspersky.com
64.233.167.104 kaspersky-labs.com
64.233.167.104 liveupdate.symantec.com
64.233.167.104 liveupdate.symantecliveupdate.com
64.233.167.104 mast.mcafee.com
64.233.167.104 mcafee.com
64.233.167.104 my-etrust.com
64.233.167.104 nai.com
64.233.167.104 networkassociates.com
64.233.167.104 rads.mcafee.com
64.233.167.104 sandbox.norman.no
64.233.167.104 secure.nai.com
64.233.167.104 securityresponse.symantec.com
64.233.167.104 sophos.com
64.233.167.104 symantec.com
64.233.167.104 trendmicro.com
64.233.167.104 uk.trendmicro-europe.com
64.233.167.104 update.symantec.com
64.233.167.104 updates.symantec.com
64.233.167.104 us.mcafee.com
64.233.167.104 viruslist.com
64.233.167.104 www.avp.com
64.233.167.104 www.ca.com
64.233.167.104 www.f-secure.com
64.233.167.104 www.grisoft.com
64.233.167.104 www.kaspersky.com
64.233.167.104 www.mcafee.com
64.233.167.104 www.my-etrust.com
64.233.167.104 www.nai.com
64.233.167.104 www.networkassociates.com
64.233.167.104 www.pandasoftware.com
64.233.167.104 www.sophos.com
64.233.167.104 www.trendmicro.com
64.233.167.104 www.viruslist.com
64.233.167.104 www.symantec.com

When spreading, it uses one of the following names to encourage users to click on the link and launch the worm:

  • Annoying crazy frog getting killed.pif
  • Crazy frog gets killed by train!.pif
  • Fat Elvis! lol.pif
  • How a Blonde Eats a Banana...pif
  • Jennifer Lopez.scr
  • LOL that ur pic!.pif
  • Me on holiday!.pif
  • Mona Lisa Wants Her Smile Back.pif
  • My new photo!.pif
  • See my lesbian friends.pif
  • The Cat And The Fan piccy.pif
  • Topless in Mini Skirt! lol.pif
  • lspt.exe
Presence in the system

The worm creates files with the following names in the system disk root directory.

  • Annoying crazy frog getting killed.pif
    • Crazy frog gets killed by train!.pif
  • Fat Elvis! lol.pif
  • How a Blonde Eats a Banana...pif
  • Jennifer Lopez.scr
  • LOL that ur pic!.pif
  • Me on holiday!.pif
  • Mona Lisa Wants Her Smile Back.pif
  • My new photo!.pif
  • See my lesbian friends.pif
  • The Cat And The Fan piccy.pif
  • Topless in Mini Skirt! lol.pif
  • lspt.exe

All the files will be ascribed the "hidden" attribute.

The worm kills the following processes:

avengine.exe
apvxdwin.exe
atupdater.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avconsol.exe
avsynmgr.exe
avwupd32.exe
avxquar.exe
bawindo.exe
blackd.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
ccpxysvc.exe
cfiaudit.exe
defwatch.exe
drwebupw.exe
escanh95.exe
escanhnt.exe
nisum.exe
firewall.exe
frameworkservice.exe
icssuppnt.exe
icsupp95.exe
luall.exe
lucoms~1.exe
mcagent.exe
mcshield.exe
mcupdate.exe
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
nopdb.exe
nprotect.exe
nupgrade.exe
outpost.exe
pavfires.exe
pavproxy.exe
pavsrv50.exe
rtvscan.exe
rulaunch.exe
savscan.exe
shstat.exe
sndsrvc.exe
symlcsvc.exe
Update.exe
updaterui.exe
vshwin32.exe
vsstat.exe
vstskmgr.exe
cmd.exe
msconfig.exe
msdev.exe
ollydbg.exe
peid.exe
petools.exe
regedit.exe
reshacker.exe
taskmgr.exe
w32dasm.exe
winhex.exe
wscript.exe

The worm contains the following text:

'-F-u-c-k-'-Y-o-u-'

Hey LARISSA fuck off, you fucking n00b!.. Bla bla to your fucking

Saving the world from Bropia, the world n33ds saving from you!

'-S-K-Y-'-D-E-V-I-L-'

.:*Fuck-Off*:.

Check out if we have free removal tool for this virus


CyberScrub AntiVirus provides state of the art security protection for five years- at one low price. Our award winning technology ensures protection against viruses, worms and trojans backed by top customer support and value.
 
Five Year Cost Comparison
Product Initial Cost Yearly Subscription X Four Years Total
Norton 2004 AntiVirus $49.95* $29.95 $119.80 $169.75
McAfee VirusScan $49.95* $19.95 $79.80 $129.75
CyberScrub AntiVirus $49.95 Included No Additional Cost $49.95
*All prices MSRP as published on respective sites.



It is only a matter of time before a virus, worm or Trojan horse wrecks havoc on your important data. Important files, records, family pictures- all at risk. Some dangerous programs can even ruin your hard drive beyond repair.

CyberScrub AntiVirus offers the most effective protection from all known and unknown viruses.

CyberScrub AntiVirus is powered by a unique integrated technology for virus detection, based on principles of multi-generation heuristic analysis. This allows the program to protect you from suspect “viral behavior”. This highly effective methodology repelled all attacks of each “I LOVEYOU’ viral variation without any additional antivirus database updates. No other technology, including Norton, Trend, or McAfee was able to accomplish this.

CyberScrub AntiVirus is powerful, yet its exceptional ease of use and installation make it acceptable for beginner to pro


CyberScrub Antivirus constantly scans your hard drive and files to identify, clean and destroy infected objects. With updates available every three hours, 24 hours a day, 365 days a year, you can count on CyberScrub to protect your valued data.

CyberScrub AntiVirus
Lifetime Edition

"For the Life of Your Computer"
Save $10 Now!
Limited Time

 

IM-Worm.Win32.Sumom.a

Symantec Warns Of Flaw In Antivirus Program. More>>

CNN Legend Lynne Russell reports on CyberScrub AntiVirus for Tech Headline News.


















 
 

delete,deletion, file deletion, Internet clean up,privacy, HIPAA, Internet privacy, cookies, erase, erasure, shredder, wipe, overwrite, purge, deletion, security, file wipe, data destruction