GABO-L archives -- February 2000 (#150)

Date:         Sat, 26 Feb 2000 11:05:14 -0500
Reply-To:     Kristi Avera <kravera@DATASYS.NET>
Sender:       Georgia Birders Online <GABO-L@LISTSERV.UGA.EDU>
From:         Kristi Avera <kravera@DATASYS.NET>
Subject:      Do not open Pretty Park
Content-Type: text/plain; charset="us-ascii"
If you receive the attachment "PrettyPark.exe," do not open it.  I am
adding a forward from Birdbrains that describes the PrettyPark Worm.

Kristi Avera


>>The following is from the Symantec (Norton) Antivirus Web Site
>>
>>PrettyPark.Worm
>>
>>Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV
>>Infection Length: 37,376
>>Area of Infection: C:\Windows\System, Registry, Email Attachments
>>Likelihood: Common
>>Detected as of: June 1, 1999
>>Characteristics: Worm, PrettyPark.EXE, Files32.VXD
>>
>>
>>
>>Description
>>
>>This is a worm program that behaves similar to Happy99 Worm. This worm
>>program was originally spread by email spamming from a French email
>>address.
>>
>>The attached program file is named "PrettyPark.EXE". The original
>>report of this worm was submitted through our exclusive Scan&Deliver
>>system on May 28, 1999 from France.
>>
>>When the attached program called "PrettyPark.EXE" is executed, it may
>>display the 3D pipe screen saver. It will also create a file called
>>FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following
>>registry entry value from "%1" %* to FILES32.VXD "%1" %* without your
>>knowledge:
>>
>>HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
>>Once the worm program is executed, it will try to email itself
>>automatically every 30 minutes (or 30 minutes after it is loaded) to
>>email addresses registered in your Internet address book.
>>
>>It will also try to connect to an IRC server and join a specific IRC
>>channel. The worm will send information to IRC every 30 seconds to keep
>>itself connected, and to retrieve any commands from the IRC channel.
>>
>>Via IRC, the author or distributor of the worm can obtain system
>>information including the computer name, product name, product
>>identifier, product key, registered owner, registered organization,
>>system root path, version, version number, ICQ identification numbers,
>>ICQ nicknames, victims email address, and Dial Up Networking username
>>and passwords. In addition, being connected to IRC opens a security
>>hole in which the client can potentially be used to receive and execute
>>files.
>>
>>Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with
>>June 1, 1999 virus definitions. With the June 9, 1999 definitions or
>>later, the worm will be detected as "PrettyPark.Worm."
>>
>>Repair Information
>>
>>Removing this worm manually:
>>
>>Using REGEDIT, modify the Registry entry
>>
>>HKEY_LOCAL_MACHINE\Software\Classes\exefile\
>>shell\open\command
>>
>>from
>>
>>FILES32.VXD "%1" %* to "%1" %*
>>
>>
>>(You may launch REGEDIT through Windows Start-menu-RUN. Then search for
>>"FILES32.VXD" in REGEDIT.)
>>
>>
>>Delete WINDOWS\SYSTEM\FILES32.VXD
>>Delete the "Pretty Park.EXE" file.
>>Reboot your computer.
>>You need to do step #1 above; otherwise, executable files may not run
>>properly if you simply delete FILES32.VXD
>>
>>Safe Computing
>>
>>This worm, and other trojan-horse type programs, demonstrate the need
>>to practice safe computing. You should not launch any executable-file
>>attachment (EXE, SHS, MS Word or MS Excel file) that comes from an
>>untrusted email or newsgroup source. These files should always be
>>scanned by Norton AntiVirus, using the latest virus definitions.
>>
>>Norton AntiVirus users can protect themselves from PrettyPark.Worm by
>>downloading the current virus definitions either through LiveUpdate or
>>from the following web page:
>>
>>http://www.symantec.com/avcenter/download.html
>>
>
Back to: Top of message | Previous page | Main GABO-L page
listserv.uga.edu
Enterprise Information Technology Services
The University of Georgia
listhelp@uga.edu