Worm.P2P.Relmony.a
Description Worm.P2P.Relmony.a
Relmony is an Internet worm that spreads in the Kazaa and Morpheus peer-to-peer file exchange networks. The Relmony worm replicates by copying itself into the "shared folders" on victim client machines which comprise these networks.
The Relmony worm is a Windows application (PE EXE file) about 29KB in size. It is written in Visual Basic.
Installation
Relmony copies itself to the Windows auto-startup directories with the following names (shown at the end of each string):
C:WINNTsystem32configsystemprofileStartMenuProgramsStartupsystem.exe
C:Documents and SettingsAll UsersStart MenuProgramsStartupsystem.exe
C:WINDOWSStart MenuProgramsStartupsystem.exe
Replication
Relmony copies itself to P2P directories under the following names:
Note 1 - there is a typo for the spelling of the Morpheus network name
C:Program FilesKaZaAMy Shared Folderfree_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears.exe
C:Program FilesKaZaAMy Shared Folderfree_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_3.exe
C:Program FilesKaZaAMy Shared Folderfree_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_.exe
C:Program FilesKaZaAMy Shared Folderfree_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_4.exe
C:Program FilesMorpeusMy SharedFolderfree_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears.exe
C:Program FilesMorpeusMy Shared Folderfree_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_2.exe
C:Program FilesMorpeusMy Shared Folderfree_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_.exe
C:Program FilesMorpeusMy Shared Folderfree_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_4.exe
Other
After being installed the Relmony worm creates a window with the following text appearing:
This window slowly moves from the top-left desktop corner to the bottom-right.
***Clicking on this window and the worm runs the join.php script from the http://www.ignifuge.com/getpaid server.
The Relmony worm then creates a small blue button in top left desktop corner with the word Money written on it. ***Clicking on this button runs the same PHP-script (join.php> from the same server.
The button - Money
Check other viruses! Be aware! Use Antiviral Software
Kolya.5632.a
Description Kolya.5632.a
It is a dangerous memory resident parasitic virus. It hooks INT 10h, 21h and writes itself to the end of COM and EXE files that are executed or opened. In some cases the virus displays messages in Russian. If the "22" option is found in the command line, the virus displays information about itself in Russian and plays a music.
Komar.691
Description Komar.691
These are harmless memory resident parasitic viruses. They hook INT 21h and writes themselves to the end of .COM and .EXE files that are accessed. They contain the text string:
_ KOMAR _
|