Today at work we got slammed by a new virus, this is no joke, not a chain letter.
I don’t care if you pass it on to anyone.
It will be mailed to you by a friend, someone already infected, with you in their contact list.
It doesn’t do anything too bad that we know of, but, what It does do is mail itself to everyone in your contact list, every 30 min. on the dot. This can be quite annoying, and it will fill up your mailbox on the server until you can receive no more email.
When you get it, it will come as an attachment, the name of the attachment will be "prettypark.exe"
But it wont look like an .exe file. It will look like a .zip file
DO NOT BE MISLED
Don’t open the attachment, it will infect your computer.
It is hard to remove and most anti-virus software will not pick it up.
Just delete the message, and reply to the person who sent it to you
And tell them "Hey man, your computer is sick!"
If you think you got it you can send me an email asking me for help removing it.
Its tricky you have to go into the registry to do it
Matt "Dirty A Sid" Johnston
Friday, October 22, 1999
If You Have Already Opened Pretty.Park.exe
Mary, et. al.:
I do not normally reply to all with emails, but in this case I felt it appropriate.
PrettyPark.Worm (aka Trojan Horse, aka W32.PrettyPark) is an email worm affecting Windows 95, 98, and NT machines. Recipients receive a message from an associate and open the attached file, which many have reported believing to be an animation based on the popular "South Park" television series. (I cannot confirm this at this time.)
PrettyPark.Worm originally surfaced in late May of this year in France, and quickly spread across Europe and to the States.
PrettyPark.Worm installs a file named FILES32.VXD in the \Windows\System directory, and modifies the Windows registry key used to control how .EXE files are launched so that the .VXD file is used when launching the .EXE, insuring the infection is active.
When active, PrettyPark.Worm will attempt to email itself (the file
PRETTYPARK.EXE) to everyone in the user's address book every 30 minutes.
Also, PRETTYPARK.EXE will attempt to initiates a connection to an Internet Relay Chat (IRC) channel every 30 seconds, where information about the infected computer may be retrieved covertly.
The online scanners from antivirus.com and mcafee.com, as well as most recently-updated virus scanners, will detect PrettyPark.Worm. Removal (especially when using the online scanners) is complicated by the fact that Windows is using the infected file, thus preventing removal.
A number of sites have listed instructions for removal of PrettyPark.Worm; however, in my own experience with cleanup operations this morning, the instructions given should be modified. Here are the modified instructions.
DO NOT attempt them yourself unless you feel comfortable working with the Windows registry.
1) Using regedit (which may be launched by selecting Start->Run, and entering "regedit" in the line), find the key HKEY_LOCAL_MACHINE
\Software
\Classes
\exefile
\shell
\open
\command
For the value for the key listed as "(Default)", you will see >FILES32.VXD "%1" %*< (the value is that between the ">" and the "<").
2) Edit the value for (Default) to remove "FILES32.VXD" AND THE SPACE THAT FOLLOWS, so that the new value is >"%1" %*< (the value between the ">" and the "<", including the quotes around the first item).
3) Close regedit.
4) Exit to MS-DOS mode
(For the next steps, which all occur at an MS-DOS prompt, enter the command given between the quotes.)
5) "cd c:\windows\system"
6) "del FILES32.VXD"
7) "exit"
-Albert Croft
Cox Internet
I do not normally reply to all with emails, but in this case I felt it appropriate.
PrettyPark.Worm (aka Trojan Horse, aka W32.PrettyPark) is an email worm affecting Windows 95, 98, and NT machines. Recipients receive a message from an associate and open the attached file, which many have reported believing to be an animation based on the popular "South Park" television series. (I cannot confirm this at this time.)
PrettyPark.Worm originally surfaced in late May of this year in France, and quickly spread across Europe and to the States.
PrettyPark.Worm installs a file named FILES32.VXD in the \Windows\System directory, and modifies the Windows registry key used to control how .EXE files are launched so that the .VXD file is used when launching the .EXE, insuring the infection is active.
When active, PrettyPark.Worm will attempt to email itself (the file
PRETTYPARK.EXE) to everyone in the user's address book every 30 minutes.
Also, PRETTYPARK.EXE will attempt to initiates a connection to an Internet Relay Chat (IRC) channel every 30 seconds, where information about the infected computer may be retrieved covertly.
The online scanners from antivirus.com and mcafee.com, as well as most recently-updated virus scanners, will detect PrettyPark.Worm. Removal (especially when using the online scanners) is complicated by the fact that Windows is using the infected file, thus preventing removal.
A number of sites have listed instructions for removal of PrettyPark.Worm; however, in my own experience with cleanup operations this morning, the instructions given should be modified. Here are the modified instructions.
DO NOT attempt them yourself unless you feel comfortable working with the Windows registry.
1) Using regedit (which may be launched by selecting Start->Run, and entering "regedit" in the line), find the key HKEY_LOCAL_MACHINE
\Software
\Classes
\exefile
\shell
\open
\command
For the value for the key listed as "(Default)", you will see >FILES32.VXD "%1" %*< (the value is that between the ">" and the "<").
2) Edit the value for (Default) to remove "FILES32.VXD" AND THE SPACE THAT FOLLOWS, so that the new value is >"%1" %*< (the value between the ">" and the "<", including the quotes around the first item).
3) Close regedit.
4) Exit to MS-DOS mode
(For the next steps, which all occur at an MS-DOS prompt, enter the command given between the quotes.)
5) "cd c:\windows\system"
6) "del FILES32.VXD"
7) "exit"
-Albert Croft
Cox Internet
Subscribe to:
Posts (Atom)