|
Name
W32/Pretty.Worm
Aliases
I-Worm.PrettyPark,
Pretty Worm, PrettyPark
Variants
None
Related
Downloads
Zipped "undo.reg" to
undo registry changes by this Internet worm on NT/95/98, download
here
Date
Added
6/8/99
Information
| |
Discovery
Date: |
5/26/99 |
| |
Origin: |
France |
| |
Length: |
37,376 |
| |
Type: |
Trojan |
| |
SubType: |
worm |
| |
Risk
Assessment: |
Medium |
| |
Minimum
DAT: |
4029 |
| |
Minimum
Engine: |
4.0.25 |
Characteristics
This is a worm that
infects Windows 9x/NT files. It arrives via email from infected
users. It appears as an icon of a character "Kyle" from the animated
comedy series "Southpark".
This worm will try to email itself automatically every 30 minutes
to all email addresses listed in the Windows address book which is
associated with Outlook Express.
A second function of this worm is that it will also try to
connect to an IRC server and join a specific IRC channel. While
connected, this worm tries to stay connected by sending information
to the IRC server, and will also retrieve any commands from the IRC
channel. While on the determined IRC server, the author of this worm
could use the connection as a remote access trojan in order to get
information such as the computer name, registered owner, registered
organization, system root path, and Dial Up Networking username and
passwords.
Symptoms
Emails containing
this Internet worm have this format:
-------------
Subject: C:\CoolProgs\Pretty Park.exe
Test: Pretty Park.exe :)
-------------
This program, when run will copy itself to FILES32.VXD in
WINDOWS\SYSTEM folder. It then modifies the registry key value
"command" located in the location:
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open
from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause
the FILES32.VXD to run during the execution of any exe file.
See this related description of
W32/Pretty.worm.unp.
Method
Of Infection
Direct execution of
the file "Pretty Park.exe" will install to the local system as
mentioned above.
Removal
Instructions
The order to remove this
trojan is complicated by the depth to which the trojan hooks the
operating system. The following procedure should remove the Trojan.
With Windows 95/98, the registry can be loaded and edited using the
program named REGEDIT while in Windows NT, you use REGEDT32
1) Identify and note the files associated with this trojan as
detected by the scanner - do not remove the trojan at this
time. If you have already removed the trojan, you will not be able
to run REGEDIT steps below on the affected system. Proceed instead
to step 11 listed below.
2) Open an MS-DOS prompt via the menu or click on START|RUN and
type COMMAND and then
3) At the prompt, type START COMMAND and press and then
start Regedit in Windows 95/98 by typing REGEDIT or in Windows NT
type REGEDT32 and press
4) Remove references to the trojan from these keys of the
registry
HKEY_CLASSES_ROOT\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command\
(If
this
exists)
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
They should contain only the value not including brackets ["%1"
%*].
5) If applicable, remove any keys that run the main trojan under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
And
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
6) If applicable, delete the registry key if it exists
HKEY_CLASSES_ROOT\.dl
and exit Regedit
7) If applicable, edit WIN.INI and remove the reference to the
trojan from the run= line in the [windows] section.
8) If applicable, edit SYSTEM.INI and remove the reference to the
trojan from the shell= line in the [boot] section. It should just
contain the file EXPLORER.EXE.
9) Restart the system.
10) Delete the trojan program(s). If all is well the files should
be deleted OK. If you get an error message saying that windows is
unable to delete the file because it is in use, then you have made
an error in the above procedure. Repeat steps 1 to 9 and try again.
11) In the event that the trojan was deleted before making the
registry changes, it is still possible to repair the registry. You
will need access to another computer, or at a minimum, access to
MS-DOS on the affected system. Using MS-DOS edit, create a file
called UNDO.REG with the following content (you can cut and
paste):
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command]
@="\"%1\"
%*"
12)
Save this file to the Windows folder of the affected system as the
file "UNDO.REG".
13) Click on START|RUN and type in UNDO.REG and press ENTER. The
contents of UNDO.REG should be now imported to the
registry. |
