|
|
|
VIRUS NAME
: W32/Relmony.worm
Virus
Characteristics
This is a simple
peer-to-peer network worm. It's designed to target the KaZaa file-sharing network
using the KaZaa servent, and the Gnutella network using Morpheus. However, due
to the misspelling of "Morpeus" in the code, the Morpheus propagation
fails.
When run, the worm displays a moving window which reads "REAL EASY MONEY".
When the Window is clicked, a URL is accessed on the ignifuge.com domain, taking
the user to an affiliate membership application page. The purpose of this is
to generate additional affiliate revenue for the worm's author. Additionally,
a window is placed in the upper left corner of the screen, which also accesses
this URL when clicked, which reads "MONEY - My computer".
The worm copies itself to the default KaZaa shared folder using several filenames:
- free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears.exe
- free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_.exe
- free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_3.exe
- free_hot_porn_for_sale_pussy_hot-sex-butt-black-young-kiddy-music-movie-sum-of-fears_4.exe
The worm also configures itself
to load at system startup by copying itself to the following locations:
- C:\WINNT\system32\config\systemprofile\Start
Menu\Programs\Startup\system.exe
- C:\Documents and Settings\All
Users\Start Menu\Programs\Startup\system.exe
- C:\WINDOWS\Start Menu\Programs\Startup\system.exe
Symptoms
Presence of the aforementioned filenames in the following directories:
- \program files\kazaa\my shared folder\
Method Of Infection
This worms spreads by enticing peer-to-peer file sharing users to download and
run itself. Once run, the worm copies itself to an expected shared folder for
others to download.
|
|
|
