Date: Sat, 26 Feb 2000 11:05:14 -0500
Reply-To: Kristi Avera <kravera@DATASYS.NET>
Sender: Georgia Birders Online <GABO-L@LISTSERV.UGA.EDU>
From: Kristi Avera <kravera@DATASYS.NET>
Subject: Do not open Pretty Park
Content-Type: text/plain; charset="us-ascii"
If you receive the attachment "PrettyPark.exe," do not open it. I am
adding a forward from Birdbrains that describes the PrettyPark Worm.
>>The following is from the Symantec (Norton) Antivirus Web Site
>>Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV
>>Infection Length: 37,376
>>Area of Infection: C:\Windows\System, Registry, Email Attachments
>>Detected as of: June 1, 1999
>>Characteristics: Worm, PrettyPark.EXE, Files32.VXD
>>This is a worm program that behaves similar to Happy99 Worm. This worm
>>program was originally spread by email spamming from a French email
>>The attached program file is named "PrettyPark.EXE". The original
>>report of this worm was submitted through our exclusive Scan&Deliver
>>system on May 28, 1999 from France.
>>When the attached program called "PrettyPark.EXE" is executed, it may
>>display the 3D pipe screen saver. It will also create a file called
>>FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following
>>registry entry value from "%1" %* to FILES32.VXD "%1" %* without your
>>Once the worm program is executed, it will try to email itself
>>automatically every 30 minutes (or 30 minutes after it is loaded) to
>>email addresses registered in your Internet address book.
>>It will also try to connect to an IRC server and join a specific IRC
>>channel. The worm will send information to IRC every 30 seconds to keep
>>itself connected, and to retrieve any commands from the IRC channel.
>>Via IRC, the author or distributor of the worm can obtain system
>>information including the computer name, product name, product
>>identifier, product key, registered owner, registered organization,
>>system root path, version, version number, ICQ identification numbers,
>>ICQ nicknames, victims email address, and Dial Up Networking username
>>and passwords. In addition, being connected to IRC opens a security
>>hole in which the client can potentially be used to receive and execute
>>Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with
>>June 1, 1999 virus definitions. With the June 9, 1999 definitions or
>>later, the worm will be detected as "PrettyPark.Worm."
>>Removing this worm manually:
>>Using REGEDIT, modify the Registry entry
>>FILES32.VXD "%1" %* to "%1" %*
>>(You may launch REGEDIT through Windows Start-menu-RUN. Then search for
>>"FILES32.VXD" in REGEDIT.)
>>Delete the "Pretty Park.EXE" file.
>>Reboot your computer.
>>You need to do step #1 above; otherwise, executable files may not run
>>properly if you simply delete FILES32.VXD
>>This worm, and other trojan-horse type programs, demonstrate the need
>>to practice safe computing. You should not launch any executable-file
>>attachment (EXE, SHS, MS Word or MS Excel file) that comes from an
>>untrusted email or newsgroup source. These files should always be
>>scanned by Norton AntiVirus, using the latest virus definitions.
>>Norton AntiVirus users can protect themselves from PrettyPark.Worm by
>>downloading the current virus definitions either through LiveUpdate or
>>from the following web page: