RootsWeb: FLHERNAN-L Pretty park exe

FLHERNAN-L Archives

Archiver > FLHERNAN > 1999-12 > 0944501665

From: "Deborah Byrd" <>
Subject: Pretty park exe
Date: Mon, 6 Dec 1999 10:34:25 -0700

I sent out a virus warning last week about the work pretty park.exe not to open any attachment by that name. Here is what the succor does, allows back door entry into your system and if on a network, the network. Description This is a worm program that behaves similar to Happy99 Worm. This worm program was originally spread by email spamming from a French email address. The attached program file is named "PrettyPark.EXE". The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France. When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. It will also try to connect to an IRC server and join a specific IRC channel. The worm will send information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel. Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victims email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files. Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with June 1, 1999 virus definitions. With the June 9, 1999 definitions or later, the worm will be detected as "PrettyPark.Worm." Repair Information Removing this worm manually: Using REGEDIT, modify the Registry entry HKEY_LOCAL_MACHINE\Software\Classes\exefile\ shell\open\command from FILES32.VXD "%1" %* to "%1" %* (You may launch REGEDIT through Windows Start-menu-RUN. Then search for "FILES32.VXD" in REGEDIT.) Delete WINDOWS\SYSTEM\FILES32.VXD Delete the "Pretty Park.EXE" file. Reboot your computer. You need to do step #1 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD Safe Computing This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by Norton AntiVirus, using the latest virus definitions. Norton AntiVirus users can protect themselves from PrettyPark.Worm by downloading the current virus definitions either through LiveUpdate or from the following web page: http://www.symantec.com/avcenter/download.html Write-up by: Raul K. Elnitiarta & Eric Chien June 1, 1999 Updated: June 9, 1999 Tell a Friend about this Write-Up

This thread:

Pretty park exe by "Deborah Byrd" <>