Virus on email

 

PrettyPark.exe    prettypark    PrettyPark.Worm

PrettyPark.exe



It is detected as : W32/Pretty.worm.unp
Aliases : I-Worm.PrettyPark.unp, PrettyPark.exe
Known Variants : None Related Virus :
Email Subject : C:\CoolProgs\Pretty Park.exe
Message text : Test : Pretty Park.exe :)
Attachment : PrettyPark.exe , in some cases Pretty~1.exe

W32/Pretty.Worm Infects : C:\Windows\System
registry
email attachments

This is a exe spreading via internet, the program behaves similarly to Happy99. It appears as a Pretty Park utility attached to email. (exe extension) and the worm infects Windows 9x/NT files.
It arrives via email from an infected users (the user doesn't know it) and appears like a icon of a little boy.
Once the worm program is executed, it will try to send infected messages automatically every 30 minutes with its attached copy to all email addresses listed in your Windows address book and also associated with Outlook Express.
The program, when run will copy itself to FILES.VXD in Windows\System directory, and modifies the registry entry value from "%1" %* to files32.vxd"%1" %* without your knowledge.
In registry : HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

A second function of the Worm is that it also tries to connect to several IRC servers.
While connected, the worm sends information to IRC every 30 seconds to keep itself connected and will so retrieve any commands from the IRC channel. The information send is a list to random ports on both UDP and TCP ports. Range from 1000 to 4900 and is a random assigned port.
While on the determined IRC server, the author of this exe could use the connection as a remote access trojan horse, backdoor, in order to get info from your computer, ANY INFO. Such like registrations, passwords, dial up networking usernames, ICQ, create and remove files, directories, etc.
In addition being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.

Removal of Pretty Park.exe:

On the Windows taskbar, click Start and then Run.
Type regedit (for W9x) or regedt32 (for Windows NT), enter
Modify the following Registry value, key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
and change files32.vxd "%1" %* to "%1" %* . Don't forget the space between " and %.
In this key it should contain only this value "%1" %* and nothing else.
Delete the PrettyPark.exe file.
Restart your computer.
Delete Windows\System\Files32.vxd file.

Finished.

Optional check ?:

1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Delete any keys that runs the main trojan
2. HKEY_CLASSES_ROOT\.dl
delete this key ( directory), .dl is running like a .exe, is a created key (dir) by the worm.
3. edit WIN.INI and remove the run=line reference to the trojan, mostly used by backdoors.
4. edit SYSTEM.INI and remove the shell=line reference to the trojan.
It should only contain the Explorer.exe file.


For more info see at

Save Computing : be suspicious of .exe, .shs, MS Word and MS Excel file attachments.


prettypark

Trojan Worm   PrettyPark



It is detected as : PrettyPark.Worm, W32.PrettyPark.C.Worm, W32.PrettyPark.D.Worm, W32/PrettyPark.Worm
Aliases : I-Worm.PrettyPark, Pretty Worm, Trojan Horse, W32.PrettyPark, PrettyPark, Trojan.PSW.CHV, CHV, W32/Pretty.worm.unp
Known Variants : W32.PrettyPark.C.Worm, W32.PrettyPark.D.Worm
Length file: 37,376 bits, 17,081 bits (variant C), 60,928 bits (variant D)
Email Subject : C:\CoolProgs\Pretty Park.exe
Message text :Test : Pretty Park.exe :) or nothing

PrettyPark Worm Infects : C:\Windows\System
registry
email attachments

This is a worm spreading via internet, the program behaves similarly to Happy99.
It appears as a Pretty Park utility attached to email. (exe extension) and the worm infects Windows 9x/NT files.
It arrives via email from an infected users (the user doesn't know it) and appears like a icon of a little boy.
Once the worm program is executed, it will try to send infected messages automatically every 30 minutes with its attached copy to all email addresses listed in your Internet address book, Windows address book.
The program, when run will copy itself to FILES.VXD in Windows\System directory, and modifies the registry entry value from "%1" %* to files32.vxd"%1" %* without your knowledge.
In registry : HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

A second function of the Worm is that it also tries to connect to an IRC server and join a specific IRC Channel.
While connected, the worm sends information to IRC every 30 seconds to keep itself connected and will so retrieve any commands from the IRC channel.
While on the determined IRC server, the author of this worm could use the connection as a remote access trojan horse, backdoor, in order to get info from your computer, ANY INFO.
Such like registrations, passwords, dial up networking usernames, ICQ, create and remove files, directories, etc.
In addition being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.

In case of error while installing, the worm activates the SSPIPES.SCR screen saver to hide its activity. If there is no such file, the worm tries to activate the Canalisation3D.SCR screen saver.
The worm then units socket internet connection and runs its routines that are activated. Connect to IRC chat and IRC servers.

Removal of PrettyPark worm:

On the Windows taskbar, click Start and then Run.
Type regedit (for W9x) or regedt32 (for Windows NT), enter
Modify the following Registry value, key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
and change files32.vxd "%1" %* to "%1" %* . Don't forget the space between " and %.
In this key it should contain only this value "%1" %* and nothing else.
Delete the PrettyPark.exe file.
Restart your computer.
Delete Windows\System\Files32.vxd file.

Finished.

Optional check ?:

1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Delete any keys that runs the main trojan
2. HKEY_CLASSES_ROOT\.dl
delete this key ( directory), .dl is running like a .exe, is a created key (dir) by the worm.
3. edit WIN.INI and remove the run=line reference to the trojan, mostly used by backdoors.
4. edit SYSTEM.INI and remove the shell=line reference to the trojan.
It should only contain the Explorer.exe file.




Save Computing : be suspicious of .exe, .shs, vbs, MS Word and MS Excel file attachments.

Download this full trial version from AVP (Anti Virus Protection), see at Trial Versions
Anti Virus Experts: Your First, Last, and Only Line of Defense

Anti Virus Experts, AVX 2000 Professional Evaluation, FULLY FUNCTIONAL for 30 days

You're not alone.

  mailto Michel Beyens

Happy99-Melissa-Worm.explore.zip | I Love You worm | PrettyPark exe-Worm
Internet Explorer | email | Backdoors | PC | Macro Warning | Virus Warning

HomePage | Overview Pages
Calpe-Spain | Entertainment | Favorite | Hockey | Reefaquarium | Virus

Sign My Guestbook Go to GuestWorld Lycos View My Guestbook