Removal of Serflog/Sumom worm
20 Mar 2005My little niece had been trying for a while now to send me through MSN Messenger a picture called “How a Blonde Eats a Banana”. My reaction was, as any one’s should be: don’t know what she’s sending, nor why, there’s no prior conversation, no context, no nothing: I did not accept it. But I did not think further about it. A couple of days later I found that a) the girl’s computer had a virus, b) the virus eagerly tried to infect other PCs via Messenger, and c) had succesfully accomplished that task in several cases. One of the victims handed over his PC to me (being the family geek and all). Since it was a nasty worm, and it took me some time to disable it, here is the procedure to follow:
- The virus is a worm called W32.Serflog.A, Win32.Bropia.U, Worm.Win32.Sumom.a, W32/Crog.worm or WORM_FATSO.A, depending on what anti-virus company site you visit. I used the information on the Symantec (Norton Antivirus) site to see how it locked itself to the PC.
- The worm does several things:
- it tries to infect other PCs through Messenger (and eMule, but not too aggressively).
- It does not prevent users from ‘working’ (surfing, email, …) so I can see some people doing nothing about it while the program keeps trying to multiply.
- And, most importantly, the worm makes it very hard for even an experienced user to desactivate or remove it.
- The worm starts itself up when Windows starts. Alas, you cannot use Task Manager to see and terminate this process. The invader immediately kills any window starting up that has “Task” in its title. You cannot visit the site of a vendor of antivirus software, because they have all been made inaccessible. You cannot delete its entries from the Registry because it kills the Regedit or Regedt32 applications from the moment they start. You cannot start a DOS Prompt, because … you get the picture.
- So what you do is the following: create command prompt with a different name. Go to the
C:WINNTsystem32(Win2K) orC:WindowsSystem32(WinXP) folder and copy thecmd.exefile to e.g.whatever.exe. Now doubleclick the last file, and you should get a command prompt (DOS box). The worm will not detect this. - The worm works through 3 hidden .exe files:
%System%formatsys.exe - %System%serbw.exe - %Windir%msmbw.exe. We will deactivate them by making them accessible (non-hidden) and renaming them:
attrib -h serbw.exe<br /> ren serbw.exe die_sucker.dead(and the same for the other 2)
I first tried to delete the files, but that did not work. Renaming did work, though. - Restart your computer. The worm will try to start up by one of the three .exe files, since they are now gone, it will not run. Now start up
regeditand delete the hooks the worm had placed in the Registry (see Symantec page for details). - Go to the
hostsfile (most likely in %SYSTEM%driversetchosts) and delete the lines that made the antivirus vendors unavailable. (See Symantec page for details) - Switch off the computer, hit yourself on the head and go and buy an antivirus program. What were you thinking? The virus would have been detected and cleaned by: F-Secure – Norton – Sophos – McAfee – TrendMicro – …
If you have been infected by it, you know you are too gullible to surf the Internet without protection.
These instructions should work on any Windows installation. You might use Symantec’s removal tool, but I had no Internet connection when I was struggling with the intruder. Took me about thirty minutes to figure out a way to circumvent the vicious sucker.
Is this a really nasty piece of software? Yes. Do I admire the person who wrote it? Not at all. It’s not clever engineering, just malevolent.
