-Caveat Lector- PrettyPark.Worm Virus Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV Infection Length: 37,376 Area of Infection: C:\Windows\System, Registry, Email Attachments Likelihood: Common Detected as of: June 1, 1999 Characteristics: Worm, PrettyPark.EXE, Files32.VXD Description This is a worm program that behaves similar to Happy99 Worm. This worm program was originally spread by email spamming from a French email address. The attached program file is named "PrettyPark.EXE". The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France. When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. It will also try to connect to an IRC server and join a specific IRC channel. The worm will send information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel. Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victims email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files. Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with June 1, 1999 virus definitions. With the June 9, 1999 definitions or later, the worm will be detected as "PrettyPark.Worm." Repair Information Removing this worm manually: Using REGEDIT, modify the Registry entry HKEY_LOCAL_MACHINE\Software\Classes\exefile\ shell\open\command from FILES32.VXD "%1" %* to "%1" %* (You may launch REGEDIT through Windows Start-menu-RUN. Then search for "FILES32.VXD" in REGEDIT.) Delete WINDOWS\SYSTEM\FILES32.VXD Delete the "Pretty Park.EXE" file. Reboot your computer. You need to do step #1 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD Safe Computing This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by Norton AntiVirus, using the latest virus definitions. Norton AntiVirus users can protect themselves from PrettyPark.Worm by downloading the current virus definitions either through LiveUpdate or from the following web page: http://www.symantec.com/avcenter/download.html Write-up by: Raul K. Elnitiarta & Eric Chien June 1, 1999 Updated: June 9, 1999 Tell a Friend about this Write-Up DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance�not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
