LISTSERV mailing list manager LISTSERV 16.5

Help for AFRIK-IT Archives


AFRIK-IT Archives

AFRIK-IT Archives


AFRIK-IT@LISTSERV.HEANET.IE


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

AFRIK-IT Home

AFRIK-IT Home

AFRIK-IT  February 2000

AFRIK-IT February 2000

Subject:

Pretty Park.exe Worm/Trojan Alert

From:

Patrick O'Beirne <[log in to unmask]>

Reply-To:

African Network of IT Experts and Professionals (ANITEP) List

Date:

Mon, 28 Feb 2000 09:10:46 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (156 lines)

I know all of you are wise enough not to run a program just because
somebody sends it to you, and you have anti-virus scanners. But just in
case, I was sent the prettypark.exe virus recently ; fortunately, the
following had alerted me:


To follow is an alert for the W32/Pretty.Worm.unp Trojan.

Dr Solomon's Anti-Virus Toolkit User
The extra driver to detect this trojan is available from our website at
the following URL:

http://www.prioritydata.ie/virusalerts/lvirusalerts.htm

Dr Solomon's VirusScan Users
The extra dat to detect this trojan is available from our website at the
following URL:

http://www.prioritydata.ie/virusalerts/lvirusalerts.htm

If you have any further queries, please do not hesitate to contact our
Technical Support Department on (01) 284-5600 or e-mail us at
mailto:[log in to unmask]

-----------------------------------------------------
W32/Pretty.Worm.unp

Aliases
I-Worm.Prettypark.unp, Southpark Trojan

Risk Assessment: Medium On Watch
Minimum DAT: 4067
Minimum Engine: 4.0.25

Characteristics
This is the unpacked edition of the originally packed "W32/Pretty.worm"
Internet worm.

This is an Internet worm that installs on Windows 9x/NT systems. It
arrives via email from affected users who have also run this Internet
worm. It appears as an icon of a character from the animated comedy
series "Southpark".

Symptoms
This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM
folder. It then modifies the registry key value "command" located in the
location:
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open
from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the
FILES32.VXD to run during the execution of any exe file.

This worm will try to email itself automatically every 30 minutes to all
email addresses listed in the Internet address book.

A second function of this worm is that it will also try to connect to an
IRC server and join a specific IRC channel. While connected, this worm
tries to stay connected by sending information to the IRC server, and
will also retrieve any commands from the IRC channel. While on the
determined IRC server, the author of this worm could use the connection
as a remote access trojan in order to get information such as the
computer name, registered owner, registered organization, system root
path, and Dial Up Networking username and passwords.

Method Of Infection
Direct execution of the file "Pretty Park.exe" will install to the local
system as mentioned above.

-----------------------------------------------------

Top ten reported viruses in January 2000 at
http://www.prioritydata.ie/news/ltop10.htm

Virus Hoax details at
http://www.prioritydata.ie/support/lhoax.htm

Add a colleague to this Virus Alert e-mail List
http://www.prioritydata.ie/forms/lvalert.htm

-----------------------------------------------------


W32/Pretty.worm.unp Date: 25th February 2000 Aliases
I-Worm.Prettypark.unp, Southpark Trojan Type:Trojan
SubType: worm
Risk Assessment: Medium On Watch
Minimum DAT: 4067
Characteristics
This is the unpacked edition of the originally packed "W32/Pretty.worm"
Internet worm.This is an Internet worm that installs on Windows 9x/NT
systems. It arrives via email from affected users who have also run this
Internet worm. It appears as an icon of a character from the animated
comedy series "Southpark".
Symptoms
This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM
folder. It then modifies the registry key value "command" located in the
location:HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\openfrom "%1" %*
to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run
during the execution of any exe file.This worm will try to email itself
automatically every 30 minutes to all email addresses listed in the
Internet address book.A second function of this worm is that it will also
try to connect to an IRC server and join a specific IRC channel. While
connected, this worm tries to stay connected by sending information to the
IRC server, and will also retrieve any commands from the IRC channel. While
on the determined IRC server, the author of this worm could use the
connection as a remote access trojan in order to get information such as
the computer name, registered
  owner, registered organization, system root path, and Dial Up Networking
username and passwords.Method Of Infection
Direct execution of the file "Pretty Park.exe" will install to the local
system as mentioned above.
Removal Instructions
The order to remove this trojan is complicated by the depth to which the
trojan hooks the operating system. The following procedure should remove
the Trojan.1) Identify and note the files associated with this trojan as
detected by the scanner - do not remove the trojan at this time. If you
have already removed the trojan, you will not be able to run REGEDIT steps
below on the affected system. Proceed instead to step 11 listed below.2)
Run REGEDIT.EXE3) Remove references to the trojan from the (Default) key of
the registry keyHKEY_CLASSES_ROOT\exefile\shell\open\command\It should read
"%1" %*4) Remove any keys that run the main server executable under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5) Delete
the registry key if it existsHKEY_CLASSES_ROOT\.dl6) Exit Regedit7) If
applicable, edit WIN.INI and remove the reference to the trojan from the
run= line in the [windows] section.8) If applicable, edit SYSTEM.INI and
remove the reference to the trojan from the shell= line in the [boot]
section. It should just contain the file EXPLORER.EXE.9) Restart the
system.10) Delete the trojan program(s). If all is well the files should be
deleted OK. If you get an error message saying that windows is unable to
delete the file because it is in use, then you have made an error in the
above procedure. Repeat steps 1 to 9 and try again.11) In the event that
the trojan was deleted before making the registry changes, it is still
possible to repair the registry. You will need access to another computer,
or at a minimum, access to MS-DOS on the affected system. Using MS-DOS
edit, create a file called UNDO.REG with the following content (you can cut
and paste):REGEDIT4[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"12) Save this file to the Windows folder of the affected
system as the file "UNDO.REG".13) Click on START|RUN and type in UNDO.REG
and press ENTER. The contents of UNDO.REG should be now imported to the
registry.
EXTRA Drivers Download extra driver for W32/Pretty.worm.unp for Dr
Solomon's AVTK 7.99 and above Download extra dat for W32/Pretty.worm.unp
for Dr Solomon's VirusScan 4 with the 4.0.25 engine (and above)
Home  Profile  Products  Services  News  Support  Contact Us 
Employment  Request Info Copyright 19972000 Priority Data Group.
All Rights Reserved. Sales Enquiries: [log in to unmask]



  -------------------------------------------------------------
  Patrick O'Beirne B.Sc. M.A. FICS. IT Systems Consultant
  http://www.sysmod.com/ Tel: +353 (0)55 22294   Fax: 055 22297
  Systems Modelling Ltd, Tara Hill, Gorey, Co. Wexford, IRELAND

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

January 2012
December 2011
November 2011
March 2011
February 2011
January 2011
September 2010
June 2010
May 2010
April 2010
March 2010
February 2010
October 2009
September 2009
July 2009
June 2009
March 2009
February 2009
January 2009
November 2008
October 2008
August 2008
July 2008
April 2008
March 2008
November 2007
August 2007
July 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
November 2005
October 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
February 2002
January 2002
December 2001
November 2001
October 2001
September 2001
August 2001
July 2001
June 2001
May 2001
April 2001
March 2001
February 2001
January 2001
December 2000
November 2000
October 2000
September 2000
August 2000
July 2000
June 2000
May 2000
April 2000
March 2000
February 2000
January 2000
December 1999
November 1999
October 1999
September 1999
August 1999
July 1999
June 1999
May 1999
April 1999
March 1999
February 1999
January 1999
December 1998
November 1998
October 1998
September 1998
August 1998
July 1998
June 1998
May 1998
April 1998
March 1998
February 1998
January 1998
December 1997
November 1997
October 1997
September 1997
August 1997
July 1997
June 1997
May 1997
April 1997
March 1997
February 1997
January 1997
December 1996
November 1996
October 1996
September 1996
August 1996
July 1996
June 1996
May 1996
April 1996
March 1996
February 1996
January 1996
December 1995
November 1995
October 1995
September 1995
August 1995
July 1995
June 1995
May 1995

ATOM RSS1 RSS2



LISTSERV.HEANET.IE

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager