- - - - - - - - - - - - - - - - - - - - - - - - - - -
West Wight Potter Mailing List maintainer
dfarrell@ridgecrest.ca.us
List hosted by www.tscnet.com
- - - - - - - - - - - - - - - - - - - - - - - - - - -
An embarrassment. Last night, I received a trojan horse "PrettyPark.exe" as an
attachment to a message with a friend's return address.
I saved it to disk, and examined it with McAfee virus checker. No alarms. So I
executed it. It looked like the "Pipes" screen saver. Big whoop. Later, the
friend sent me a warning, and the following description. I checked my registry,
and I had been infected, but apparently the program had not fired up yet. I
cleaned up the infection, per the following directions.
However - be warned - do not execute any attached programs with my return
address without checking with me via email first. I suggest that you check with
anyone who sends you an executable file BEFORE executing it. I'll certainly be
doing that in the future!
I apologize for any trouble that this infection might have caused you before I
caught it. If you have received a message from me with "Pretty Park" in the
subject line, or with a file resembling that name as an attachment, AND HAVE
EXECUTED THE FILE, I will help you thru the cleanup. Please forward the
infected message to me immediately, so I can see how it went out.
-- Robert Skinner, Rockville, Maryland '87 Potter 15 HMS #1618 "Little Dipper" ==========================================================================PrettyPark.Worm
Detected as: PrettyPark.Worm, W32.PrettyPark.C.Worm, W32.PrettyPark.D.Worm Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV, W32/Pretty.worm.unp Known Variants: W32.PrettyPark.C.Worm, W32.PrettyPark.D.Worm Infection Length: 37,376; 17,081 (C variant); 60928 (D variant) Area of Infection: C:\Windows\System, Registry, email attachments Likelihood: Common Detected as of: June 1, 1999; February 2, 2000 (C variant); February 18, 2000 (D variant) Characteristics: Worm, PrettyPark.EXE, Files32.VXD
Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.
Description
This worm program behaves similarly to Happy99 Worm. It was originally spread by email spamming from a French email address. The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France.
When the attached program file, PrettyPark.exe, is executed, it may display the 3D pipe screen saver. It also creates a file called files32.vxd in the Windows\System directory and modifies the following registry entry value from "%1" %* to files32.vxd "%1" %* without your knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\ shell\open\command Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.
It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.
Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victim's email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.
Repair Information
To remove the PrettyPark worm:
On the Windows taskbar, click Start > Run. Type REGEDIT, then click OK. Modify the following Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ shell\open\command
and change
files32.vxd "%1" %*
to
"%1" %*
For clarity, these seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space.
Delete the PrettyPark.exe file. Restart your computer. Delete the \Windows\System\Files32.vxd file. Safe Computing
Because of Worms and Trojan Horse programs, you must practice safe computing. Be suspicious of executable file attachments (for example, .exe, .shs, or MS Word, or MS Excel files), especially ones from newsgroups or unknown sources.
Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.
Write-up by: Raul K. Elnitiarta & Eric Chien June 1, 1999
This archive was generated by hypermail 2b29 : Fri Mar 31 2000 - 03:27:08 PST