 |
PrettyPark.Worm
| Virus Name: |
PrettyPark.Worm |
| Aliases: |
Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV |
| Infection Length: |
37,376 |
| Area of Infection: |
C:\Windows\System, Registry, Email Attachments |
| Likelihood: |
Common |
| Detected as of: |
June 1, 1999 |
| Characteristics: |
Worm, PrettyPark.EXE, Files32.VXD |
Description:
This is a worm program that behaves similar to Happy99
Worm. This worm program was originally spread by email spamming from a
French email address.
The attached program file is named "PrettyPark.EXE". The original
report of this worm was submitted through our exclusive Scan&Deliver
system on May 28, 1999 from France.
When the attached program called "PrettyPark.EXE" is executed, it may
display the 3D pipe screen saver. It will also create a file called
FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following
registry entry value from "%1" %* to FILES32.VXD "%1" %* without your
knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Once the worm program is executed, it will try to email itself
automatically every 30 minutes (or 30 minutes after it is loaded) to email
addresses registered in your Internet address book.
It will also try to connect to an IRC server and join a specific IRC
channel. The worm will send information to IRC every 30 seconds to keep
itself connected, and to retrieve any commands from the IRC channel.
Via IRC, the author or distributor of the worm can obtain system
information including the computer name, product name, product identifier,
product key, registered owner, registered organization, system root path,
version, version number, ICQ identification numbers, ICQ nicknames,
victims email address, and Dial Up Networking username and passwords. In
addition, being connected to IRC opens a security hole in which the client
can potentially be used to receive and execute files.
Norton AntiVirus users can protect themselves from PrettyPark.Worm by
downloading the current virus definitions either through LiveUpdate or
from the following web page:
http://www.symantec.com/avcenter/download.html
Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with
June 1, 1999 virus definitions. With the June 9, 1999 definitions or
later, the worm will be detected as "PrettyPark.Worm."
Repair Information
Removing this worm manually:
- Using REGEDIT, modify the Registry
entry
HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command
from
FILES32.VXD "%1" %* to just say "%1" %*
(You may launch REGEDIT through Windows Start-menu-RUN.
Then search for "FILES32.VXD" in REGEDIT.)
- Delete WINDOWS\SYSTEM\FILES32.VXD
- Delete the "Pretty Park.EXE" file.
- Reboot your computer.
You need to do step #1 above; otherwise, executable files may not run
properly if you simply delete FILES32.VXD
|
