P2P-Worm.Win32.Relmony.a

Detected	Aug 24 2002 20:00 GMT
Released	Aug 24 2002 20:00 GMT
Published	Aug 28 2002 07:42 GMT

Technical Details

Relmony is an Internet worm that spreads in the Kazaa and Morpheus peer-to-peer file exchange networks. The Relmony worm replicates by copying itself into the "shared folders" on victim client machines which comprise these networks.

The Relmony worm is a Windows application (PE EXE file) about 29KB in size. It is written in Visual Basic.

Installation
Relmony copies itself to the Windows auto-startup directories with the following names (shown at the end of each string):

C:\WINNT\system32\config\systemprofile\StartMenu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\Start Menu\Programs\Startup\system.exe

Replication
Relmony copies itself to P2P directories under the following names:

Note 1 - there is a typo for the spelling of the Morpheus network name

C:\Program Files\KaZaA\My Shared Folder\free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears.exe
C:\Program Files\KaZaA\My Shared Folder\free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_3.exe
C:\Program Files\KaZaA\My Shared Folder\free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_.exe
C:\Program Files\KaZaA\My Shared Folder\free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_4.exe
C:\Program Files\Morpeus\My SharedFolder\free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears.exe
C:\Program Files\Morpeus\My Shared Folder\free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_2.exe
C:\Program Files\Morpeus\My Shared Folder\free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_.exe
C:\Program Files\Morpeus\My Shared Folder\free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_4.exe

Other
After being installed the Relmony worm creates a window with the following text appearing:

This window slowly moves from the top-left desktop corner to the bottom-right.

***Clicking on this window and the worm runs the join.php script from the http://www.ignifuge.com/getpaid server.

The Relmony worm then creates a small blue button in top left desktop corner with the word Money written on it. ***Clicking on this button runs the same PHP-script (join.php> from the same server.

The button - Money

Print

Share

Malicious programs

Viruses and worms

P2P-Worm

P2P Worms spread via peer-to-peer file sharing networks (such as Kazaa, Grokster, EDonkey, FastTrack, Gnutella, etc.).

Most of these worms work in a relative simple way: in order to get onto a P2P network, all the worm has to do is copy itself to the file sharing directory, which is usually on a local machine. The P2P network does the rest: when a file search is conducted, it informs remote users of the file and provides services making it possible to download the file from the infected computer.

There are also more complex P2P-Worms that imitate the network protocol of a specific file sharing system and responds positively to search queries; a copy of the P2P-Worm is offered as a match.

Aliases

P2P-Worm.Win32.Relmony.a (Kaspersky Lab) is also known as:

Worm.P2P.Relmony.a (Kaspersky Lab)
Worm.P2P.Relmony (Kaspersky Lab)
Virus: W32/Relmony.worm.a!p2p (McAfee)
W32/Relmony-A (Sophos)
W32/P2PWorm.Gen (Panda)
W32/Relmony.A (FPROT)
Worm:Win32/Relmony (MS(OneCare))
Win32.HLLW.Money.1 (DrWeb)
Win32/Relmony.A worm (Nod32)
Win32.Worm.Relmony.A (BitDef7)
I-Worm.Relmony.A (VirusBuster)
Win32:RealMoney (AVAST)
P2P-Worm.Win32.Relmony (Ikarus)
Worm/Generic.DQP (AVG)
WORM/Relmony.A (AVIRA)
W32.HLLW.Relmony (NAV)
W32/Relmony.A (Norman)
W32/Relmony.worm.a!p2p (NAI)
WORM_RELMONY.A (PCCIL)
Worm.P2p.Relmony.a (Rising)
WORM_RELMONY.A (TrendMicro)

P2P-Worm.Win32.Relmony.a

Technical Details

kaspersky.com

securelist.com