--- Begin Message ---
*Attention*
If anyone receives an email with the subject "c:\cool progs\pretty park.exe"
do NOT download the attachment, or if you did, do NOT run it. If its too
late, go to your favorite virus company and DL the latest updates to remove
this virus. It is a worm that seems to be spreading via email and in the body
of the mail it says:
Test: Pretty Park.exe :)
It doesnt appear to be a bad virus, just an email worm that possibly sends
the author specifics about your machine, specifics below:
"I-Worm.PrettyPark
This is a worm virus spreading via Internet. It appears as a PrettyPark
utility attached to email. Being executed it installs itself into the system,
then sends infected messages (with its attached copy) to addresses listed in
Windows Address Book, informs a user on some IRC channel about system
settings and passwords, and also may be used as a
Backdoor.
The worm itself is the Windows PE executable file about 37Kb of length. This
file is compressed by WWPack32 utility. Being unpacked it appears to be a
58Kb EXE file written in Delphi, the "pure" code in the file occupies just
about 45Kb. Despite on this short enough size for Delphi application, the
worm has many features that make it a very dangerous and fast spreading
program.
When the worm is executed in the system for the first time, it looks for its
copy already installed in the system memory. The worm does that by looking
for application that has "#32770" window caption. If there is no such window,
the virus registers itself as a hidden application (not visible in the task
list) and runs its installation routine.
While installing into the system the worm copies its file to the Windows
system directory with the FILES32.VXD filename and registers it in the system
registry to be run each time any another application starts. The virus does
that by creating a new key in the HKEY_CLASSES_ROOT, the key name is
exefile\shell\open\command and it is associated with the worm copy with the
FILES32.VXD file that was created in the Windows system folder. This file has
.VXD extension, but it is not a VxD Win95/98 driver but "true" Windows
executable.
In case of error while installing the worm activates the SSPIPES.SCR screen
saver (to hide its activity?). If there is no such file found, the worm tries
to activate the Canalisation3D.SCR screen saver.
The worm then inits socket (Internet) connection and runs its routines that
are activated: the first one once per 30 seconds, another one - once per 30
minutes.
The first of these routines each time when it is activated tries to connect
some IRC chat (see the list below), and by special requests send a messages
to a user on these channels. In this way worm author seems to catch affected
stations to monitor them. The list of IRC servers the worm tries to connect
looks as followed:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk
Being recognized by the host (virus author) the worm may be manipulated as a
Backdoor trojan horse. By set of commands it sends to the remote host system
configuration, disk list, directories info, as well as confidential
information: Internet access passwords and telephone numbers, Remote Access
Service login names and passwords, ICQ numbers, e.t.c. The backdoor also is
able to create/remove directories, send/receive files, delete and execute
them, e.t.c.
The second routine, which is activated once per 30 minutes, opens the Windows
Address Book file, reads Internet addresses from there, and sends a message
to them. The message can be sent not only to private email addresses, but to
Internet conferences also, that depends on the Address Book contents only.
The message Subject field contains the text:
C:\CoolProgs\Pretty Park.exe
The message itself contains nothing but attached copy of the worm. "
I got this off www.avp.com, and apparently AVP has a disinfector for this
virus. I recomend you all scan your computers if you suspect you were
infected.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Testa TType86 on #BuickGN
jtesta1966@aol.com buick.fiendish.net:6667
ASE Master Technician NJ Lic. Motor Vehicle Inspector
L1 Adv Eng Perf Certified NJ Licensed Emissions repair Tech
--- End Message ---