Re: [FWDLK] Dave Stragand wrote: PrettyPark.Worm Repair location
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FWDLK] Dave Stragand wrote: PrettyPark.Worm Repair location

file:///C|/WINDOWS/DESKTOP/VIRUS FIX FOR
prettypark_worm.html

Go here for instructions to fix...

Brian

Dave Stragand wrote:
>
> DO NOT OPEN THE PRETTY PARK.EXE PROGRAM IN STIG'S EMAIL.  IT IS A VIRUS!
>
> PLEASE CONTACT ME IF YOU HAVE ALREADY OPENED IT, AND I WILL HELP YOU
> OUT.
>
> Also, do not blame Stig for this email -- the virus mailed itself to
> everyone
> in his Outlook address book automatically -- it was not an intentional
> action.
>
> -Dave
>
> Stig Molteberg wrote:
>
> > Test: Pretty Park.exe  :)
> >
> >    Stig Molteberg
> >
> >   ------------------------------------------------------------------------
> >                       Name: Pretty Park.exe
> >    Pretty Park.exe    Type: unspecified type (application/octet-stream)
> >                   Encoding: base64
Title: PrettyPark.Worm

Symantec logo
United States
AntiVirus Research Center


Advanced Search

Information for You

Shop Symantec

Products

Resource Centers
--------AntiVirus Research Center
Download Updates
Virus Encyclopedia
Virus Hoaxes
SARC Newsletter
Reference Area
Submit Virus Samples

Service and Support

About Symantec


Feedback Help
© 1995-2000 Symantec Corporation
All rights reserved.
Legal Notices
Privacy Policy 		spacer PrettyPark.Worm

Aliases:Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV
Infection Length:37,376
Area of Infection:C:\Windows\System, Registry, Email Attachments
Likelihood:Common
Detected as of:June 1, 1999
Characteristics:Worm, PrettyPark.EXE, Files32.VXD


Description

This is a worm program that behaves similar to Happy99 Worm. This worm program was originally spread by email spamming from a French email address.

The attached program file is named "PrettyPark.EXE". The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France.

When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.

It will also try to connect to an IRC server and join a specific IRC channel. The worm will send information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victims email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.

Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with June 1, 1999 virus definitions. With the June 9, 1999 definitions or later, the worm will be detected as "PrettyPark.Worm."

Repair Information

Removing this worm manually:

  1. Using REGEDIT, modify the Registry entry

    HKEY_LOCAL_MACHINE\Software\Classes\exefile\
    shell\open\command

    from

    FILES32.VXD "%1" %* to "%1" %*

    (You may launch REGEDIT through Windows Start-menu-RUN. Then search for "FILES32.VXD" in REGEDIT.)

  2. Delete WINDOWS\SYSTEM\FILES32.VXD
  3. Delete the "Pretty Park.EXE" file.
  4. Reboot your computer.

You need to do step #1 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD

Safe Computing

This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by Norton AntiVirus, using the latest virus definitions.


Norton AntiVirus users can protect themselves from PrettyPark.Worm by downloading the current virus definitions either through LiveUpdate or from the following web page:

http://www.symantec.com/avcenter/download.html

Write-up by: Raul K. Elnitiarta & Eric Chien
June 1, 1999
Updated: June 9, 1999

 Tell a Friend about this Write-Up
Home Back to the Home of the Forward Look Network


Copyright © The Forward Look Network. All rights reserved.
Opinions expressed in posts reflect the views of their respective authors.
This site contains affiliate links for which we may be compensated.