Help! New Variant Of WinSerflog or W32/Sumom-C

A

aazar

http://www.sophos.com/virusinfo/analyses/w32sumomc.html

This is a nasty worm distributed via msn messenger. It does not allow
any of the anti virus programmes to run and it shuts down regedit and
many other program windows.

The Norton Antivirus Serflog removal tool for A and C versions does not
work as I think they refer to an earlier version of this nasty virus.
There is information on the new version in the above link but their
recovery suggestions relies on using regedit which the worm totally
prohibits (it also does not allow access to their site or Norton
Antivirus, I tried searching the host file to no avail). Does any one
have any ideas please how to get rid of this nasty programme? There is
nothing on Microsoft or Norton Antivirus about this latest threat.

I even tried downloading some shareware registry editors but the worm
shuts down those programs as well.
 
A

aazar

This is the message it puts up but only on certain days of the month
(19th, 26th etc):
'Hello LARISSA, are you out there? You ****ing n00b!!!!!!!!
LARISSA you're my bitch! I own your ass you ****ing loser!
'-S-K-Y-'-D-E-V-I-L-'
Greets,
N+E+T+D+E+V+I+L'

If anyone has any ideas as to how remove this thing, I would be
grateful, as mentioned earlier the Norton Serflog removal tool runs
(which is an achievement itself) but says the computer is not affected
by Serflog as this is a new variant I think. The machine has windows XP
SP2, with norton anti-virus and Windown antispware beta. All recently
updated.
 
D

d11

http://www.sophos.com/virusinfo/analyses/w32sumomc.html

This is a nasty worm distributed via msn messenger. It does not allow
any of the anti virus programmes to run and it shuts down regedit and
many other program windows.

The Norton Antivirus Serflog removal tool for A and C versions does not
work as I think they refer to an earlier version of this nasty virus.
There is information on the new version in the above link but their
recovery suggestions relies on using regedit which the worm totally
prohibits (it also does not allow access to their site or Norton
Antivirus, I tried searching the host file to no avail). Does any one
have any ideas please how to get rid of this nasty programme? There is
nothing on Microsoft or Norton Antivirus about this latest threat.

I even tried downloading some shareware registry editors but the worm
shuts down those programs as well.
Click to expand...

Download sysclean.com from Trend Micro here:
http://www.trendmicro.com/download/dcs.asp along with the latest
pattern file, here: http://www.trendmicro.com/download/pattern.asp
Place them in a dedicated folder after appropriate unzipping, and then
run in safe mode to clean.(safe mode F8 on startup)
Turn off system restore before cleaning.
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

You could also try Mcafee stinger.
Download Mcafee stinger and run it in (safe mode F8 on startup)
http://download.nai.com/products/mcafee-avert/stinger.exe
Turn off system restore before cleaning.
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Thanks to Jim Byrd for the tips and URL's
 
A

aazar

http://www.sophos.com/virusinfo/analyses/w32sumomc.html

This is a nasty worm distributed via msn messenger. It does not allow
any of the anti virus programmes to run and it shuts down regedit and
many other program windows.

The Norton Antivirus Serflog removal tool for A and C versions does not
work as I think they refer to an earlier version of this nasty virus.
There is information on the new version in the above link but their
recovery suggestions relies on using regedit which the worm totally
prohibits (it also does not allow access to their site or Norton
Antivirus, I tried searching the host file to no avail). Does any one
have any ideas please how to get rid of this nasty programme? There is
nothing on Microsoft or Norton Antivirus about this latest threat.

I even tried downloading some shareware registry editors but the worm
shuts down those programs as well.
Click to expand...
Download sysclean.com from Trend Micro here:
http://www.trendmicro.com/download/dcs.asp along with the latest
pattern file, here: http://www.trendmicro.com/download/pattern.asp
Place them in a dedicated folder after appropriate unzipping, and then
run in safe mode to clean.(safe mode F8 on startup)
Turn off system restore before cleaning.
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

You could also try Mcafee stinger.
Download Mcafee stinger and run it in (safe mode F8 on startup)
http://download.nai.com/products/mcafee-avert/stinger.exe
Turn off system restore before cleaning.
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Click to expand...

I am trying the trendmicro product now but from what I hear it won't be
without its own side effects. This new variant of the worm does not
allow you to turn off system restore. It completely removes the tab
from my computer properties. I wish I could find this guy and shoot the
bastard on the spot.

Much obliged for your suggestion anyway.

Thanks to Jim Byrd for the tips and URL's
 
D

d11

I am trying the trendmicro product now but from what I hear it won't be
without its own side effects. This new variant of the worm does not
allow you to turn off system restore. It completely removes the tab
from my computer properties. I wish I could find this guy and shoot the
bastard on the spot.

Much obliged for your suggestion anyway.

Thanks to Jim Byrd for the tips and URL's
Click to expand...
If you can not turn off system restore before cleaning, try after
running Sysclean and cleaning your system,restart and go right back
into safe mode and then try to turn off system restore and if able to,
re scan again after restarting your computer with sysclean in safe
mode.
 
A

AvianFlux

What about HijackThis!

Did you try turning off all unnecessary services in safe mode, and
launch the anti-malware apps from there?
 
A

aazar

Yes and it doesn't work. This guy has really shown up how useless all
these tools are.
 
A

aazar

If you can not turn off system restore before cleaning, try after
running Sysclean and cleaning your system,restart and go right back
into safe mode and then try to turn off system restore and if able to,
re scan again after restarting your computer with sysclean in safe
mode.
Click to expand...

Well Stinger did not work. I give up. I don't understand why sysclean
did not work, perhaps I did not set up the logon script correctly, does
anyone have any advice on how to make sure the logon script runs
properly?
 
D

d11

Well Stinger did not work. I give up. I don't understand why sysclean
did not work, perhaps I did not set up the logon script correctly, does
anyone have any advice on how to make sure the logon script runs
properly?
Click to expand...
That as? hole who wrote that worm put entries in the host file to
block Internet connection to anti virus web sites.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FATSO.C

Removing Malware Entries from the HOSTS File

Deleting malware entries from the HOSTS file removes all malware-made
changes on host name association.

1. Open the following file using a text editor (such as NOTEPAD):
%System%\drivers\etc\HOSTS
(Note: %System% is the Windows system folder, which is usually
C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on
Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
2. Delete the following entries:
* avp.com
* ca.com
* customer.symantec.com
* dispatch.mcafee.com
* download.mcafee.com
* f-secure.com
* grisoft.com
* kaspersky-labs.com
* kaspersky.com
* liveupdate.symantec.com
* liveupdate.symantecliveupdate.com
* mast.mcafee.com
* mcafee.com
* my-etrust.com
* nai.com
* networkassociates.com
* rads.mcafee.com
* sandbox.norman.no
* secure.nai.com
* securityresponse.symantec.com
* sophos.com
* symantec.com
* trendmicro.com
* update.symantec.com
* updates.symantec.com
* us.mcafee.com
* viruslist.com
* www.avp.com
* www.ca.com
* www.f-secure.com
* www.grisoft.com
* www.kaspersky.com
* www.mcafee.com
* www.my-etrust.com
* www.nai.com
* www.networkassociates.com
* www.pandasoftware.com
* www.sophos.com
* www.symantec.com
* www.trendmicro.com
* www.viruslist.com
* uk.trendmicro-europe.com
3. Save the file and close the text editor.
 
A

aazar

That as? hole who wrote that worm put entries in the host file to
block Internet connection to anti virus web sites.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FATSO.C
Click to expand...
I hope the SOB drowns in his own vomit one day.
Removing Malware Entries from the HOSTS File
Click to expand...
Thanks for your help but that was the first thing I had tried, he has
done something to hide his tracks as the "hosts" file accessible in
windows\system32\drivers\etc is fine! It has none of the sites listed.
I need to figure out how to make the logon script rquired by trend
micro to work, I can't believe they provide the tool incomplete.
 
D

d11

I hope the SOB drowns in his own vomit one day.
Thanks for your help but that was the first thing I had tried, he has
done something to hide his tracks as the "hosts" file accessible in
windows\system32\drivers\etc is fine! It has none of the sites listed.
I need to figure out how to make the logon script rquired by trend
micro to work, I can't believe they provide the tool incomplete.
Click to expand...
Download the scan engine and pattern file from a different computer if
you have one.
If you don't have another computer I will send the files to you.
You have to make a folder on the hard drive and unzip the files into
it.
Download a FRESH COPY of sysclean.com , from Trend Micro, here:
 
A

Adam Piggott

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://www.sophos.com/virusinfo/analyses/w32sumomc.html

This is a nasty worm distributed via msn messenger. It does not allow
any of the anti virus programmes to run and it shuts down regedit and
many other program windows.

The Norton Antivirus Serflog removal tool for A and C versions does not
work as I think they refer to an earlier version of this nasty virus.
Click to expand...

Have you tried using the various removal tools/sysclean while in Safe Mode?

I'd be able to have a look at what it does in a safe environment and
possibly give you removal instructions if you are able to send me a copy of
the virus by email. That is if you a) have it b) can send it and c) trust a
stranger with a dangerous piece of software :) Let me know and I'll give
you a different address if you can/want to send me a copy.

Regards,


Adam Piggott.


- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCPc2/7uRVdtPsXDkRAvHoAJ0VKW/2seL4qP8Cg7+6TEsHWCjOTQCfcBBS
Xm0fsW9+k3n6kaFzvjiIb/M=
=zyN9
-----END PGP SIGNATURE-----
 
I

Ian JP Kenefick

http://www.sophos.com/virusinfo/analyses/w32sumomc.html

This is a nasty worm distributed via msn messenger. It does not allow
any of the anti virus programmes to run and it shuts down regedit and
many other program windows.

The Norton Antivirus Serflog removal tool for A and C versions does not
work as I think they refer to an earlier version of this nasty virus.
There is information on the new version in the above link but their
recovery suggestions relies on using regedit which the worm totally
prohibits (it also does not allow access to their site or Norton
Antivirus, I tried searching the host file to no avail). Does any one
have any ideas please how to get rid of this nasty programme? There is
nothing on Microsoft or Norton Antivirus about this latest threat.

I even tried downloading some shareware registry editors but the worm
shuts down those programs as well.
Click to expand...

Go to my website. I spoted information about this new worm.
--

Regards,
Ian Kenefick
Got a virus?
Go to www.ik-cs.com > 'Got a virus?'
 
R

Roger Wilco

aazar said:
Yes and it doesn't work. This guy has really shown up how useless all
these tools are.
Click to expand...

It was bound to happen sooner or later, seems someone had forgotten how
important a clean boot is to recovering from malware and offered up an
OS making it more difficult than it has to be.
 
A

aazar

That is very kind of you but I don't know how to. I have already
deleted the PIF file, if it has restored itself I will send it. I have
tried safe mode, debug mode....... The problem is that this new variant
hides the autoexec file and does not allow access to it from other
machines on the network, it seems to ignore it as well in safe mode or
normal mode, hence my earlier question about logon scripts. I tried
running it as a command, windows issues a window saying the proogram is
not from a known publisher should it be run but before you can answer
the virus memory resident program closes tthe window.
 
S

Stephen Howe

Yes and it doesn't work. This guy has really shown up how useless all
these tools are.
Click to expand...

They are not useless. They just have limitations.
HiJackThis will be beaten if the malware-writers spot a new avenue of attack
that is not in its checklist.

You can remove it manally but you have to be super-vigilant in Safe Mode in
making sure all entry points are deleted. Leave even one and an executable
copy and it will reinstall itself.
See the bottom of
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html

SH
 
N

Norman L. DeForest

alt.privacy.spyware and symantec.support.win95.nortonantivirus.general
removed as those groups are not carried here and pine wouldn't let me
post with them in the "Newsgroups:" header ]

If anyone knows that aazar is posting from and reading from one of those
two newsgroups that I snipped, could they please post a notice there for
him to look at a reply in the alt.comp.anti-virus newsgroup?

I hope the SOB drowns in his own vomit one day.
Thanks for your help but that was the first thing I had tried, he has
done something to hide his tracks as the "hosts" file accessible in
windows\system32\drivers\etc is fine! It has none of the sites listed.
I need to figure out how to make the logon script rquired by trend
micro to work, I can't believe they provide the tool incomplete.
Click to expand...

Symantec's writeup on the worm is here:

Symantec Security Response - W32.Serflog.C
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html

Have you tried the W32.Serflog Removal Tool that Symantec has available?

"Symantec Security Response - W32.Serflog Removal Tool"
[download link and instructions for use]:
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.removal.tool.html

The actual link for downloading the removal tool:
http://securityresponse.symantec.com/avcenter/FixSflog.exe

Other important links on their instruction page:

"Configuring shared Windows folders for maximum network protection"
http://service1.symantec.com/SUPPOR...2000091415173339?OpenDocument&src=sec_doc_nam

"Issues caused by a back-up or by a scan of the Exchange 2000 M drive"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;298924

"Disabling or enabling Windows Me System Restore"
http://service1.symantec.com/SUPPOR...2001012513122239?OpenDocument&src=sec_doc_nam

"Disabling or enabling Windows XP System Restore"
http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

"Restoring the Publisher Authenticity confirmation dialog box"
http://service1.symantec.com/SUPPOR...2002072208414439?OpenDocument&src=sec_doc_nam

http://www.wmsoftware.com/free.htm

which links to:

http://64.4.206.167/wm-downloads/pub/chktrust.exe

If you can't access those pages or files because of the worm, drop me a
line and I could email you a text printout of the instructions and a
copy of the removal tool.

Do you have an unzipping utility? It would save some email download time
if I zipped the stuff before sending it.
 
A

aazar

Thanks for your help, here is the status so far:
I ran trendmicro's sysclean (finally, and with difficulty, their
instructions which depends on a logon script did not work), the virus
is present even in safe mode. Sysclean did not work either. So none of
the tools, trendmicro, or norton's serflong removal or stinger work.

The instructions below and any manual recovery are not really helpful
as the virus takes total control of things like taskmanager, regedit
etc. I am going to look at using another compupter perhaps to access
the registry. For example the system restore tab is hidden from my
computer propoerties dialogue (in any mode, including safe mode).

my e-mail is a a z a r _ t @ h o t m a i l . c o m (remove the spaces
otherwise google scrambles the e-mail).

alt.privacy.spyware and symantec.support.win95.nortonantivirus.general
removed as those groups are not carried here and pine wouldn't let me
post with them in the "Newsgroups:" header ]

If anyone knows that aazar is posting from and reading from one of those
two newsgroups that I snipped, could they please post a notice there for
him to look at a reply in the alt.comp.anti-virus newsgroup?

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FATSO.C
I hope the SOB drowns in his own vomit one day.
Thanks for your help but that was the first thing I had tried, he has
done something to hide his tracks as the "hosts" file accessible in
windows\system32\drivers\etc is fine! It has none of the sites listed.
I need to figure out how to make the logon script rquired by trend
micro to work, I can't believe they provide the tool incomplete.
Click to expand...

Symantec's writeup on the worm is here:

Symantec Security Response - W32.Serflog.C
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html

Have you tried the W32.Serflog Removal Tool that Symantec has available?

"Symantec Security Response - W32.Serflog Removal Tool"
[download link and instructions for use]:
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.removal.tool.html

The actual link for downloading the removal tool:
http://securityresponse.symantec.com/avcenter/FixSflog.exe

Other important links on their instruction page:

"Configuring shared Windows folders for maximum network protection"
http://service1.symantec.com/SUPPOR...2000091415173339?OpenDocument&src=sec_doc_nam

"Issues caused by a back-up or by a scan of the Exchange 2000 M drive"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;298924

"Disabling or enabling Windows Me System Restore"
http://service1.symantec.com/SUPPOR...2001012513122239?OpenDocument&src=sec_doc_nam

"Disabling or enabling Windows XP System Restore"
http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

"Restoring the Publisher Authenticity confirmation dialog box"
http://service1.symantec.com/SUPPOR...2002072208414439?OpenDocument&src=sec_doc_nam

http://www.wmsoftware.com/free.htm

which links to:

http://64.4.206.167/wm-downloads/pub/chktrust.exe

If you can't access those pages or files because of the worm, drop me a
line and I could email you a text printout of the instructions and a
copy of the removal tool.

Do you have an unzipping utility? It would save some email download time
if I zipped the stuff before sending it.

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
(e-mail address removed) [=||=] (A Speech Friendly Site)
"It's MyParty and I'll delete it if I want to."
-- Trafton Ziegler in alt.comp.virus, on Sunday, February 10,
Click to expand...
2002.
 
M

Mike Lynch

Go here,

http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.removal.tool.html

but use another computer, download the file fixSflog.exe.

The virus will not prevent you loading this on an infected
machine via a floppy.

Just double click to run. I did it in normal mode, repeated
in safe mode
in that order. It was cleaned out in normal mode, in safe
mode it found
nothing.

All instructions are given on the page above.You do not have
to be running
Norton AV etc, the pc I cleaned up user AVG.

Mike L.


http://www.sophos.com/virusinfo/analyses/w32sumomc.html

This is a nasty worm distributed via msn messenger. It does
not allow
any of the anti virus programmes to run and it shuts down
regedit and
many other program windows.

The Norton Antivirus Serflog removal tool for A and C
versions does not
work as I think they refer to an earlier version of this
nasty virus.
There is information on the new version in the above link
but their
recovery suggestions relies on using regedit which the worm
totally
prohibits (it also does not allow access to their site or
Norton
Antivirus, I tried searching the host file to no avail).
Does any one
have any ideas please how to get rid of this nasty
programme? There is
nothing on Microsoft or Norton Antivirus about this latest
threat.

I even tried downloading some shareware registry editors
but the worm
shuts down those programs as well.
Click to expand...

Go to my website. I spoted information about this new worm.
--

Regards,
Ian Kenefick
Got a virus?
Go to www.ik-cs.com > 'Got a virus?'
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Alert! W32.Welchia.B.Worm 3
Attention new worm ! W32/Rizalof.B.worm 4
Virus W32.Spybot.worm 1
help - can't open any programmes 3
New (?) virus being circulated via e-mail (Mytob or Mydoom) 4
W32.Spybot.Worm and fileshares 2
Trojans and worms hiding behind games 0
I (still) Have a Worm! Please Help! W32.Randex.E aka RPCSDBOT.A 12

Top