>From Symantec (www.symantec.com)
For those who executed the file �PrettyPark.exe�
PrettyPark.Worm
Aliases:
Trojan Horse, W32.PrettyPark,
Trojan.PSW.CHV, CHV
Infection Length:
37,376
Area of Infection:
C:\Windows\System, Registry, Email
Attachments
Likelihood:
Common
Detected as of:
June 1, 1999
Characteristics:
Worm, PrettyPark.EXE, Files32.VXD
Description
This is a worm program that behaves similar to
Happy99 Worm. This worm program
was originally spread by email spamming from a
French email address.
The attached program file is named
"PrettyPark.EXE". The original report of this
worm was submitted through our exclusive
Scan&Deliver system on May 28, 1999
from France.
When the attached program called "PrettyPark.EXE"
is executed, it may display the
3D pipe screen saver. It will also create a file
called FILES32.VXD in the
WINDOWS\SYSTEM directory and modify the following
registry entry value from
"%1" %* to FILES32.VXD "%1" %* without your
knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Once the worm program is executed, it will try to
email itself automatically every 30
minutes (or 30 minutes after it is loaded) to email
addresses registered in your
Internet address book.
It will also try to connect to an IRC server and
join a specific IRC channel. The
worm will send information to IRC every 30 seconds
to keep itself connected, and to
retrieve any commands from the IRC channel.
Via IRC, the author or distributor of the worm can
obtain system information
including the computer name, product name, product
identifier, product key,
registered owner, registered organization, system
root path, version, version
number, ICQ identification numbers, ICQ nicknames,
victims email address, and
Dial Up Networking username and passwords. In
addition, being connected to IRC
opens a security hole in which the client can
potentially be used to receive and
execute files.
Norton AntiVirus will detect PrettyPark.Worm as
"Trojan Horse" with June 1, 1999
virus definitions. With the June 9, 1999
definitions or later, the worm will be detected
as "PrettyPark.Worm."
Repair Information
Removing this worm manually:
1.Using REGEDIT, modify the Registry entry
HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command
from
FILES32.VXD "%1" %* to "%1" %*
(You may launch REGEDIT through Windows
Start-menu-RUN.
Then search for "FILES32.VXD" in REGEDIT.)
2.Delete WINDOWS\SYSTEM\FILES32.VXD
3.Delete the "Pretty Park.EXE" file.
4.Reboot your computer.
You need to do step #1 above; otherwise, executable
files may not run properly if
you simply delete FILES32.VXD
Safe Computing
This worm, and other trojan-horse type programs,
demonstrate the need to practice
safe computing. You should not launch any
executable-file attachment (EXE, SHS,
MS Word or MS Excel file) that comes from an
untrusted email or newsgroup
source. These files should always be scanned by
Norton AntiVirus, using the latest
virus definitions.
Hope, this helps.
Yours, Alexander.
_______
To unsubscribe, send "unsubscribe rangernet" to [EMAIL PROTECTED]
"Eat the hay & spit out the sticks! - A#1's mule" RTKB&G4JC!
http://rangernet.org Autoresponder: [EMAIL PROTECTED]
