Dear Friend, If you receive and email from me with an attached file called "Pretty Park.exe", please delete it immediately. It is wise to also delete this message from your Deleted Items folder. Do NOT execute this file by clicking on it. It is a virus that will automatically send similar emails to people in you Address Book. It also posts information from your computer to certain IRC servers.
I apologize for any inconvenience I might have caused you. It was unintentional. Sincerely, Christian PS. In case you have been infected by this virus, please follow the instructions on the following webpage: http://vil.nai.com/vil/vpe10175.asp For your convenience, I will post the information on this page at the end of this email. ------------------------------ Christian von Wechmar Stellenbosch, South Africa [email protected] ------------------------------ Virus Name W32/Pretty.Worm Date Added 6/8/99 Virus Characteristics This is a worm that infects Windows 9x/NT files. It arrives via email from infected users. Indications Of Infection This program, when run, will display a "3D Pipe" screen saver and then will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value "command" located in the location: HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file. This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Internet address book. A second function of this worm is that it will also try to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords. Method Of Infection Direct execution of the file "Pretty Park.exe". Removal Removal is a manual process. Use the following registry information to repair the now modified system registry. Open NOTEPAD and cut and paste this info into a NOTEPAD file; make sure that after the content is pasted into the file that the format is not all on one line. Save the NOTEPAD file as "undo.reg" to the desktop. Double click this file to repair the registry. ----------begin,cut after this line---------- REGEDIT4 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" ----------end,cut before this line--------- * AVERT Note * In notepad it you cut and paste this information it will paste as such REGEDIT4 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" The problem here is that the .reg file will not work this way. It must be exactly the way it shown between the dashed lines. After repairing the registry, delete the files FILES32.VXD and PrettyPark.exe. Reboot the computer. Failure to repair the registry will cause applications not to run. Virus Information Discovery Date: 5/26/99 Origin: France Type: Win32 Risk Assessment: Medium, On Watch Minimum DAT: 4029 Variants Unknown Aliases Pretty Worm, PrettyPark, Pretty Park -- The silver-list is a moderated forum for discussion of colloidal silver. To join or quit silver-list or silver-digest send an e-mail message to: [email protected] -or- [email protected] with the word subscribe or unsubscribe in the SUBJECT line. To post, address your message to: [email protected] List maintainer: Mike Devour <[email protected]>
