http://www.symantec.com/avcenter/venc/data/prettypark.worm.htm
PrettyPark.Worm
Detected as:
PrettyPark.Worm,
W32.PrettyPark.C.Worm,
W32.PrettyPark.D.Worm
Aliases:
Trojan Horse, W32.PrettyPark,
Trojan.PSW.CHV, CHV,
W32/Pretty.worm.unp
Known Variants:
W32.PrettyPark.C.Worm,
W32.PrettyPark.D.Worm
Infection Length:
37,376; 17,081 (C variant); 60928
(D variant)
Area of Infection:
C:\Windows\System, Registry,
email attachments
Likelihood:
Common
Detected as of:
June 1, 1999; February 2, 2000 (C
variant); February 18, 2000 (D
variant)
Characteristics:
Worm, PrettyPark.EXE, Files32.VXD
Norton AntiVirus users can protect themselves
from this virus by downloading the current virus
definitions either through LiveUpdate or from the
Download Virus Definition Updates page.
Description
This worm program behaves similarly to Happy99
Worm. It was originally spread by email spamming
from a French email address. The original report
of this worm was submitted through our exclusive
Scan&Deliver system on May 28, 1999 from France.
When the attached program file, PrettyPark.exe,
is executed, it may display the 3D pipe screen
saver. It also creates a file called files32.vxd
in the Windows\System directory and modifies the
following registry entry value from "%1" %* to
files32.vxd "%1" %* without your knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command
Once the worm program is executed, it tries to
email itself automatically every 30 minutes (or
30 minutes after it is loaded) to email addresses
registered in your Internet address book.
It also tries to connect to an IRC server and
join a specific IRC channel. The worm sends
information to IRC every 30 seconds to keep
itself connected, and to retrieve any commands
from the IRC channel.
Via IRC, the author or distributor of the worm
can obtain system information including the
computer name, product name, product identifier,
product key, registered owner, registered
organization, system root path, version, version
number, ICQ identification numbers, ICQ
nicknames, victim's email address, and Dial Up
Networking username and passwords. In addition,
being connected to IRC opens a security hole in
which the client can potentially be used to
receive and execute files.
Repair Information
To remove the PrettyPark worm:
1.On the Windows taskbar, click Start > Run.
2.Type REGEDIT, then click OK. 3.Modify the
following Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
shell\open\command
and change
files32.vxd "%1" %*
to
"%1" %*
For clarity, these seven characters are the
following: double quote, percent sign, the
numeral one, double quote, space, percent
sign, and asterisk. Don't forget the space.
4.Delete the PrettyPark.exe file.
5.Restart your computer.
6.Delete the \Windows\System\Files32.vxd file.
Safe Computing
Because of Worms and Trojan Horse programs, you
must practice safe computing. Be suspicious of
executable file attachments (for example, .exe,
.shs, or MS Word, or MS Excel files), especially
ones from newsgroups or unknown sources. For
continuous protection, always run Norton
AntiVirus Auto-Protect and use LiveUpdate to make
sure you have the latest virus definitions.
This archive was generated by hypermail 2b29 : Wed Mar 08 2000 - 07:13:04 PST