Sharechat Logo

Forum Archive Index - March 2000

Please note usage of the Forum is subject to the Terms & Conditions.

 
Messages by Date [ Next by Date Previous by Date ]
Messages by Thread [ Next by Thread Previous by Thread ]
Post to the Forum [ New message Reply to this message ]
Printable version
 

[sharechat] If you ran the .exe file then here is the fix.


From: "Kelvin Worsfold" <kelw@ihug.co.nz>
Date: Tue, 14 Mar 2000 16:29:38 +1300


Hi,

If you are unfortunate enough to have run the program prettypark.exe then
this is the fix.
*** DO NOT CONNECT TO THE INTERNET UNTIL YOU HAVE FIXED IT ***

Description

This worm program behaves similarly to Happy99 Worm. It was originally
spread by email spamming from a French email address. The original report of
this worm was submitted through our exclusive Scan&Deliver system on May 28,
1999 from France.

When the attached program file, PrettyPark.exe, is executed, it may display
the 3D pipe screen saver. It also creates a file called files32.vxd in the
Windows\System directory and modifies the following registry entry value
from "%1" %* to files32.vxd "%1" %* without your knowledge:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command
Once the worm program is executed, it tries to email itself automatically
every 30 minutes (or 30 minutes after it is loaded) to email addresses
registered in your Internet address book.

It also tries to connect to an IRC server and join a specific IRC channel.
The worm sends information to IRC every 30 seconds to keep itself connected,
and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system information
including the computer name, product name, product identifier, product key,
registered owner, registered organization, system root path, version,
version number, ICQ identification numbers, ICQ nicknames, victim's email
address, and Dial Up Networking username and passwords. In addition, being
connected to IRC opens a security hole in which the client can potentially
be used to receive and execute files.

Repair Information

To remove the PrettyPark worm:

On the Windows taskbar, click Start > Run.
Type REGEDIT, then click OK.
Modify the following Registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ shell\open\command

and change

files32.vxd "%1" %*

to

"%1" %*

For clarity, these seven characters are the following: double quote, percent
sign, the numeral one, double quote, space, percent sign, and asterisk.
Don't forget the space.


Delete the PrettyPark.exe file.
Restart your computer.
Delete the \Windows\System\Files32.vxd file.






----------------------------------------------------------------------------
http://www.sharechat.co.nz/          New Zealand's home for market investors
To remove yourself from this list, please us the form at
http://www.sharechat.co.nz/forum.html.

Replies

 
Messages by Date [ Next by Date: Re: [sharechat] Hot Tip, Probe resources ASX Adam Rands
Previous by Date: [sharechat] WIRELESS TECH Nigel McCarter ]
Messages by Thread [ Next by Thread: Re: [sharechat] If you ran the .exe file then here is the fix. Gary Morrison
Previous by Thread: Re: [sharechat] ITC UP 48%??? Les Mortimer ]
Post to the Forum [ New message Reply to this message ]