LISTSERV at the University of Georgia
Menubar Imagemap
Home Browse Manage Request Manuals Register
Previous messageNext messagePrevious in topicNext in topicPrevious by same authorNext by same authorPrevious page (February 2000)Back to main GABO-L pageJoin or leave GABO-L (or change settings)ReplyPost a new messageSearchProportional fontNon-proportional font
Date:         Sat, 26 Feb 2000 11:05:14 -0500
Reply-To:     Kristi Avera <kravera@DATASYS.NET>
Sender:       Georgia Birders Online <GABO-L@LISTSERV.UGA.EDU>
From:         Kristi Avera <kravera@DATASYS.NET>
Subject:      Do not open Pretty Park
Content-Type: text/plain; charset="us-ascii"

If you receive the attachment "PrettyPark.exe," do not open it. I am adding a forward from Birdbrains that describes the PrettyPark Worm.

Kristi Avera

>>The following is from the Symantec (Norton) Antivirus Web Site >> >>PrettyPark.Worm >> >>Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV >>Infection Length: 37,376 >>Area of Infection: C:\Windows\System, Registry, Email Attachments >>Likelihood: Common >>Detected as of: June 1, 1999 >>Characteristics: Worm, PrettyPark.EXE, Files32.VXD >> >> >> >>Description >> >>This is a worm program that behaves similar to Happy99 Worm. This worm >>program was originally spread by email spamming from a French email >>address. >> >>The attached program file is named "PrettyPark.EXE". The original >>report of this worm was submitted through our exclusive Scan&Deliver >>system on May 28, 1999 from France. >> >>When the attached program called "PrettyPark.EXE" is executed, it may >>display the 3D pipe screen saver. It will also create a file called >>FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following >>registry entry value from "%1" %* to FILES32.VXD "%1" %* without your >>knowledge: >> >>HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command >>Once the worm program is executed, it will try to email itself >>automatically every 30 minutes (or 30 minutes after it is loaded) to >>email addresses registered in your Internet address book. >> >>It will also try to connect to an IRC server and join a specific IRC >>channel. The worm will send information to IRC every 30 seconds to keep >>itself connected, and to retrieve any commands from the IRC channel. >> >>Via IRC, the author or distributor of the worm can obtain system >>information including the computer name, product name, product >>identifier, product key, registered owner, registered organization, >>system root path, version, version number, ICQ identification numbers, >>ICQ nicknames, victims email address, and Dial Up Networking username >>and passwords. In addition, being connected to IRC opens a security >>hole in which the client can potentially be used to receive and execute >>files. >> >>Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with >>June 1, 1999 virus definitions. With the June 9, 1999 definitions or >>later, the worm will be detected as "PrettyPark.Worm." >> >>Repair Information >> >>Removing this worm manually: >> >>Using REGEDIT, modify the Registry entry >> >>HKEY_LOCAL_MACHINE\Software\Classes\exefile\ >>shell\open\command >> >>from >> >>FILES32.VXD "%1" %* to "%1" %* >> >> >>(You may launch REGEDIT through Windows Start-menu-RUN. Then search for >>"FILES32.VXD" in REGEDIT.) >> >> >>Delete WINDOWS\SYSTEM\FILES32.VXD >>Delete the "Pretty Park.EXE" file. >>Reboot your computer. >>You need to do step #1 above; otherwise, executable files may not run >>properly if you simply delete FILES32.VXD >> >>Safe Computing >> >>This worm, and other trojan-horse type programs, demonstrate the need >>to practice safe computing. You should not launch any executable-file >>attachment (EXE, SHS, MS Word or MS Excel file) that comes from an >>untrusted email or newsgroup source. These files should always be >>scanned by Norton AntiVirus, using the latest virus definitions. >> >>Norton AntiVirus users can protect themselves from PrettyPark.Worm by >>downloading the current virus definitions either through LiveUpdate or >>from the following web page: >> >> >> >

Back to: Top of message | Previous page | Main GABO-L page