Mailinglist Archives:
Infrared
Panorama
Photo-3D
Tech-3D
Sell-3D
MF3D

Notice

This mailinglist archive is frozen since May 2001, i.e. it will stay online but will not be updated.

Pretty Worm Virus Alert

From: WILLIAM D SCHWADERER <WDAVID@xxxxxxxxxxx>
Subject: Pretty Worm Virus Alert
Date: Tue, 11 Jan 2000 11:49:54 -0800

From: http://vil.mcafee.com/vil/vpe10175.asp

Virus Profile

Virus Name
W32/Pretty.Worm

Date Added
6/8/99

Virus Characteristics
This is a worm that infects Windows 9x/NT files. It arrives via email from
infected users.

----------------------------------------------------------------------------
----

Send This Virus Information To A Friend?

----------------------------------------------------------------------------
----

Indications Of Infection
This program, when run, will display a "3D Pipe" screen saver and then will
copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the
registry key value "command" located in the location:

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open

from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the
FILES32.VXD to run during the execution of any exe file.

This worm will try to email itself automatically every 30 minutes to all
email addresses listed in the Internet address book. A second function of
this worm is that it will also try to connect to an IRC server and join a
specific IRC channel. While connected, this worm tries to stay connected by
sending information to the IRC server, and will also retrieve any commands
from the IRC channel. While on the determined IRC server, the author of this
worm could use the connection as a remote access trojan in order to get
information such as the computer name, registered owner, registered
organization, system root path, and Dial Up Networking username and
passwords.

Method Of Infection
Direct execution of the file "Pretty Park.exe".

Removal
Removal is a manual process. Use the following registry information to
repair the now modified system registry. Open NOTEPAD and cut and paste this
info into a NOTEPAD file; make sure that after the content is pasted into
the file that the format is not all on one line. Save the NOTEPAD file as
"undo.reg" to the desktop. Double click this file to repair the registry.

----------begin,cut after this line----------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"

----------end,cut before this line---------

* AVERT Note *
In notepad it you cut and paste this information it will paste as such

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\"
%*"

The problem here is that the .reg file will not work this way. It must be
exactly the way it shown between the dashed lines. After repairing the
registry, delete the files FILES32.VXD and PrettyPark.exe. Reboot the
computer. Failure to repair the registry will cause applications not to run.


Virus Information
  Discovery Date: 5/26/99
  Origin: France
  Type: Win32
  Prevalence: Medium, On Watch


Variants
Unknown

Aliases
Pretty Worm, PrettyPark

References:
- Re: getting off the list and other tricks
  - From: Robert Erickson

Prev by Date: Re: C:\CoolProgs\Pretty Park.exe
Next by Date: April Meeting - update
Prev by thread: Re: getting off the list and other tricks
Next by thread: big swing lens camera
Indexes:
- Main
- Thread