I know all of you are wise enough not to run a program just because
somebody sends it to you, and you have anti-virus scanners. But just in
case, I was sent the prettypark.exe virus recently ; fortunately, the
following had alerted me:


To follow is an alert for the W32/Pretty.Worm.unp Trojan.

Dr Solomon's Anti-Virus Toolkit User
The extra driver to detect this trojan is available from our website at
the following URL:

http://www.prioritydata.ie/virusalerts/lvirusalerts.htm

Dr Solomon's VirusScan Users
The extra dat to detect this trojan is available from our website at the
following URL:

http://www.prioritydata.ie/virusalerts/lvirusalerts.htm

If you have any further queries, please do not hesitate to contact our
Technical Support Department on (01) 284-5600 or e-mail us at
mailto:[log in to unmask]

-----------------------------------------------------
W32/Pretty.Worm.unp

Aliases
I-Worm.Prettypark.unp, Southpark Trojan

Risk Assessment: Medium On Watch
Minimum DAT: 4067
Minimum Engine: 4.0.25

Characteristics
This is the unpacked edition of the originally packed "W32/Pretty.worm"
Internet worm.

This is an Internet worm that installs on Windows 9x/NT systems. It
arrives via email from affected users who have also run this Internet
worm. It appears as an icon of a character from the animated comedy
series "Southpark".

Symptoms
This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM
folder. It then modifies the registry key value "command" located in the
location:
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open
from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the
FILES32.VXD to run during the execution of any exe file.

This worm will try to email itself automatically every 30 minutes to all
email addresses listed in the Internet address book.

A second function of this worm is that it will also try to connect to an
IRC server and join a specific IRC channel. While connected, this worm
tries to stay connected by sending information to the IRC server, and
will also retrieve any commands from the IRC channel. While on the
determined IRC server, the author of this worm could use the connection
as a remote access trojan in order to get information such as the
computer name, registered owner, registered organization, system root
path, and Dial Up Networking username and passwords.

Method Of Infection
Direct execution of the file "Pretty Park.exe" will install to the local
system as mentioned above.

-----------------------------------------------------

Top ten reported viruses in January 2000 at
http://www.prioritydata.ie/news/ltop10.htm

Virus Hoax details at
http://www.prioritydata.ie/support/lhoax.htm

Add a colleague to this Virus Alert e-mail List
http://www.prioritydata.ie/forms/lvalert.htm

-----------------------------------------------------


W32/Pretty.worm.unp Date: 25th February 2000 Aliases
I-Worm.Prettypark.unp, Southpark Trojan Type:Trojan
SubType: worm
Risk Assessment: Medium On Watch
Minimum DAT: 4067
Characteristics
This is the unpacked edition of the originally packed "W32/Pretty.worm"
Internet worm.This is an Internet worm that installs on Windows 9x/NT
systems. It arrives via email from affected users who have also run this
Internet worm. It appears as an icon of a character from the animated
comedy series "Southpark".
Symptoms
This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM
folder. It then modifies the registry key value "command" located in the
location:HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\openfrom "%1" %*
to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run
during the execution of any exe file.This worm will try to email itself
automatically every 30 minutes to all email addresses listed in the
Internet address book.A second function of this worm is that it will also
try to connect to an IRC server and join a specific IRC channel. While
connected, this worm tries to stay connected by sending information to the
IRC server, and will also retrieve any commands from the IRC channel. While
on the determined IRC server, the author of this worm could use the
connection as a remote access trojan in order to get information such as
the computer name, registered
  owner, registered organization, system root path, and Dial Up Networking
username and passwords.Method Of Infection
Direct execution of the file "Pretty Park.exe" will install to the local
system as mentioned above.
Removal Instructions
The order to remove this trojan is complicated by the depth to which the
trojan hooks the operating system. The following procedure should remove
the Trojan.1) Identify and note the files associated with this trojan as
detected by the scanner - do not remove the trojan at this time. If you
have already removed the trojan, you will not be able to run REGEDIT steps
below on the affected system. Proceed instead to step 11 listed below.2)
Run REGEDIT.EXE3) Remove references to the trojan from the (Default) key of
the registry keyHKEY_CLASSES_ROOT\exefile\shell\open\command\It should read
"%1" %*4) Remove any keys that run the main server executable under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5) Delete
the registry key if it existsHKEY_CLASSES_ROOT\.dl6) Exit Regedit7) If
applicable, edit WIN.INI and remove the reference to the trojan from the
run= line in the [windows] section.8) If applicable, edit SYSTEM.INI and
remove the reference to the trojan from the shell= line in the [boot]
section. It should just contain the file EXPLORER.EXE.9) Restart the
system.10) Delete the trojan program(s). If all is well the files should be
deleted OK. If you get an error message saying that windows is unable to
delete the file because it is in use, then you have made an error in the
above procedure. Repeat steps 1 to 9 and try again.11) In the event that
the trojan was deleted before making the registry changes, it is still
possible to repair the registry. You will need access to another computer,
or at a minimum, access to MS-DOS on the affected system. Using MS-DOS
edit, create a file called UNDO.REG with the following content (you can cut
and paste):REGEDIT4[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"12) Save this file to the Windows folder of the affected
system as the file "UNDO.REG".13) Click on START|RUN and type in UNDO.REG
and press ENTER. The contents of UNDO.REG should be now imported to the
registry.
EXTRA Drivers Download extra driver for W32/Pretty.worm.unp for Dr
Solomon's AVTK 7.99 and above Download extra dat for W32/Pretty.worm.unp
for Dr Solomon's VirusScan 4 with the 4.0.25 engine (and above)
Home · Profile · Products · Services · News · Support · Contact Us ·
Employment · Request Info Copyright ©1997–2000 Priority Data Group.
All Rights Reserved. Sales Enquiries: [log in to unmask]



  -------------------------------------------------------------
  Patrick O'Beirne B.Sc. M.A. FICS. IT Systems Consultant
  http://www.sysmod.com/ Tel: +353 (0)55 22294   Fax: 055 22297
  Systems Modelling Ltd, Tara Hill, Gorey, Co. Wexford, IRELAND