I just realize someone sent the virus attachment to this news see below.......for more information...... source from www.mcafee.com . Virus Profile Virus Name W32/Pretty.worm.unp Date Added 2/17/00 Virus Characteristics *March 2, 2000 Update: AVERT has received numerous samples of this Internet worm. Many users reporting this worm are also users of Outlook Express. This is the unpacked edition of the originally packed "W32/Pretty.worm" Internet worm.* This is an Internet worm that installs on Windows 9x/NT systems. It arrives via email from affected users who have also run this Internet worm. It appears as an icon of a character from the animated comedy series "Southpark". Emails containing this Internet worm have this format: ------------- Subject: C:\CoolProgs\Pretty Park.exe Test: Pretty Park.exe :) ------------- Attached is the file "Pretty park.exe" and in some cases "Pretty~1.exe". This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Windows address book associated with Outlook Express. A second function of this worm is that it will also try to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords. Users should download 4067 DAT set or above for detection and removal of this Internet worm. To download the DAT files, follow this link . ---------------------------------------------------------------------------- ---- Send This Virus Information To A Friend? ---------------------------------------------------------------------------- ---- Indications Of Infection Emails containing this Internet worm have this format: ------------- Subject: C:\CoolProgs\Pretty Park.exe Test: Pretty Park.exe :) ------------- This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value "command" located in the location: HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file. See this related description of W32/Pretty.worm. Method Of Infection Direct execution of the file "Pretty Park.exe" will install to the local system as mentioned above. Removal Instructions The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system. The following procedure should remove the Trojan. With Windows 95/98, the registry can be loaded and edited using the program named REGEDIT while in Windows NT, you use REGEDT32 1) Identify and note the files associated with this trojan as detected by the scanner - do not remove the trojan at this time. If you have already removed the trojan, you will not be able to run REGEDIT steps below on the affected system. Proceed instead to step 11 listed below. 2) Open an MS-DOS prompt via the menu or click on START|RUN and type COMMAND and then 3) At the prompt, type START COMMAND and press and then start Regedit in Windows 95/98 by typing REGEDIT or in Windows NT type REGEDT32 and press 4) Remove references to the trojan from these keys of the registry HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command\ HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command They should contain only the value not including brackets ["%1" %*]. 5) If applicable, remove any keys that run the main trojan under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ And HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 6) If applicable, delete the registry key if it exists HKEY_CLASSES_ROOT\.dl and exit Regedit 7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section. 8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE. 9) Restart the system. 10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again. 11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste): REGEDIT4 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" 12) Save this file to the Windows folder of the affected system as the file "UNDO.REG". 13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry. Virus Information Discovery Date: 2/15/00 Length: 60,928 Type: Trojan SubType: worm Risk Assessment: High Variants Name Type Sub Type Differences Unknown Aliases I-Worm.Prettypark.unp, Pretty Park.exe, Southpark Trojan Related Viruses W32/Pretty.worm.unp
