1. Pretty Park Virus info!!!!!
------=_NextPart_000_001E_01BFA7BE.A1677500
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
PrettyPark (Also known as Win32.PrettyPark.Worm)
PrettyPark is a worm that propagates by sending its copies through the =
Internet by means of the electronic mail system. The worm usually =
arrives in one's mailbox as an attachment to the message with the =
following Subject: C:\CoolProgs\Pretty Park.exe The attached program - =
PrettyPark.exe uses the icon picturing one of the characters from the =
South Park movie. When a user runs the attached file, PrettyPark copies =
itself to the Windows System directory under the name FILES32.VXD. Next =
the worm modifies the registry key: =
HKEY_CLASSES_ROOT\exefile\shell\open\command changing it to FILES32.VXD =
"%1" %*. When PrettyPark park is executed, a user may see the =
screensaver activated (from files: sspipes.scr or canalisation3d.scr). =
Every half an hour the worm will try to send itself (as an email =
attachment) to Internet addresses listed in the user's Windows Address =
Book. Much more often - every half a minute, PrettyPark will try to =
connect to selected IRC channels. It appears that the use of the IRC =
channels is intended to inform the author (of the worm) of another =
successful installation. Through the use of IRC, PrettyPark can =
potentially transfer a lot of sensitive data from an affected system to =
the outside world.=20
The current Anti-virus updates will protect your PCs from this worm. If =
your PC has not been updated and has become infected with this worm =
please use the following steps to remove the worm:=20
1. Delete the original email that delivered the worm.=20
2. Click here to download a small script which will clean up the =
registry. (When the file has finished downloading, double click on it to =
run the program and clean up the registry).=20
3. Reboot the computer.
4. Delete the file FILES32.VXD. (You can find this by opening Windows =
Explorer and selecting Tools | Find then typing in the filename).=20
------=_NextPart_000_001E_01BFA7BE.A1677500
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 =
Transitional//EN">
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR></HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2><B>PrettyPark</B> (Also known as=20
Win32.PrettyPark.Worm)<BR>PrettyPark is a worm that propagates by =
sending its=20
copies through the Internet by means of the electronic mail system. The =
worm=20
usually arrives in one's mailbox as an attachment to the message with =
the=20
following Subject: <I>C:\CoolProgs\Pretty Park.exe</I> The attached =
program -=20
PrettyPark.exe uses the icon picturing one of the characters from the =
South Park=20
movie. When a user runs the attached file, PrettyPark copies itself to =
the=20
Windows System directory under the name <I>FILES32.VXD</I>. Next the =
worm=20
modifies the registry key: =
changing it to <I>FILES32.VXD "%1" %*</I>. When PrettyPark park is =
executed, a=20
user may see the screensaver activated (from files: sspipes.scr or=20
canalisation3d.scr). Every half an hour the worm will try to send itself =
(as an=20
email attachment) to Internet addresses listed in the user's Windows =
Address=20
Book. Much more often - every half a minute, PrettyPark will try to =
connect to=20
selected IRC channels. It appears that the use of the IRC channels is =
intended=20
to inform the author (of the worm) of another successful installation. =
Through=20
the use of IRC, PrettyPark can potentially transfer a lot of sensitive =
data from=20
an affected system to the outside world. <BR>The current Anti-virus =
updates will=20
protect your PCs from this worm. If your PC has not been updated and has =
become=20
infected with this worm please use the following steps to remove the =
worm:=20
<BR>1. Delete the original email that delivered the worm. <BR>2. <A=20
fix.reg">Click=20
here</A> to download a small script which will clean up the registry. =
(When the=20
file has finished downloading, double click on it to run the program and =
clean=20
up the registry). <BR>3. Reboot the computer.<BR>4. Delete the file =
FILES32.VXD.=20
(You can find this by opening Windows Explorer and selecting Tools | =
Find then=20
------=_NextPart_000_001E_01BFA7BE.A1677500--
2. Re: Pretty Park Virus info!!!!!
I think "Pretty Park" underscores the
wisdom of the following:
1. Do not post .exe's on this mailing list.
(Ralf, I'm sure you didn't do it deliberately.)
2. If a .exe is posted, delete it. Don't execute it.
That would apply to other immediately-executable files
as well, and would also apply to any e-mail that you
receive from any other sources, unless you are sure
that you know who sent it, and why they sent it.
(Unfortunately the "From:" field in an e-mail can be easily faked.)
Regards,
Rob Craig
Rapid Deployment Software
http://www.RapidEuphoria.com
