Sumom.a False positive

[bfr2u]

While cleaning a friend of the family's heavily infected computer, Spybot Version 1.6.0.30 reported an incidence of the worm Sumom.a which it could not fix. Other AV programs including FixSflog, Symantec's W32.Serflog Removal tool did not find Sumom.a and manual review for files msmbw.exe, serbw.exe, & formatsys.exe (supposedly associated with Sumom.a) failed to locate those files. Anyone have any experience with false positives for this (elderly) worm?

System is a Gateway E-4000 running Windows XP Home SP3 with up to date Windows Updates. Browser is Firefox 3.0.4. Fixit report below:


--- Report generated: 2008-12-01 13:15 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Sumom.A: [SBI $95DB4DB6] Program directory (Directory, fixing failed)
C:\WINDOWS\system32\P2P Networking\

Pup: [SBI $DC5C1256] Autorun settings (intell32.exe) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intell32.exe


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-11-28 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-11-25 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-11-18 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-18 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-11-25 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-25 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-11-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll

[Yodama]

hello,

did you check the contents of the following folder?
C:\WINDOWS\system32\P2P Networking\

there is probably at least one sub folder present.
If there are also files present please email them for further analysis to
detections-at-spybot.info (replace -at- with @)

[bfr2u]

Yodama, Thanks for the response! I did check the P2P Networking Folder and looked for hidden files. Also checked folder again with Spybot & Malwarebytes and found nothing. P2P Networking folder contains Cache subfolder which contains a hidden Database folder with five hidden .sig files and one hidden .dbb index file.

I assume the folder is legit as Limeware has been used on this machine.

I'm sending a zip file with the database contents as you suggested. Thanks again!

[Yodama]

It appears the folder is related to kazaa and related adware AltNet.
We will consider it a false positive and fix it with the upcoming update today.