|
Printable version |
| From: | "Gary Morrison" <gm@paradise.net.nz> |
| Date: | Tue, 14 Mar 2000 17:30:26 +1300 |
Great if you can edit the registry, but pretty hard for some... it helps to use the find option under the edit menu ... enter files32.vxd in as the search item, you will be led straight to it. The item you need to change is in the right hand screen, you double click on it to get the edit window open. Once changed you don't save, just exit the regedit program. DON'T delete files32.vxd from your hard drive until you have made the registry change, its almost impossible to do anything afterwards if you do. I've recently had to clean a clients machine of this after he sent it to me, and if you have Windows 2000, as I do, its all over, you need to reinstall. Don't ask me how I know this. ----- Original Message ----- From: "Kelvin Worsfold" <kelw@ihug.co.nz> Sent: Tuesday, March 14, 2000 4:29 PM Subject: [sharechat] If you ran the .exe file then here is the fix. > Hi, > > If you are unfortunate enough to have run the program prettypark.exe then > this is the fix. > *** DO NOT CONNECT TO THE INTERNET UNTIL YOU HAVE FIXED IT *** > > Description > > This worm program behaves similarly to Happy99 Worm. It was originally > spread by email spamming from a French email address. The original report of > this worm was submitted through our exclusive Scan&Deliver system on May 28, > 1999 from France. > > When the attached program file, PrettyPark.exe, is executed, it may display > the 3D pipe screen saver. It also creates a file called files32.vxd in the > Windows\System directory and modifies the following registry entry value > from "%1" %* to files32.vxd "%1" %* without your knowledge: > > HKEY_LOCAL_MACHINE\Software\Classes\exefile\ > shell\open\command > Once the worm program is executed, it tries to email itself automatically > every 30 minutes (or 30 minutes after it is loaded) to email addresses > registered in your Internet address book. > > It also tries to connect to an IRC server and join a specific IRC channel. > The worm sends information to IRC every 30 seconds to keep itself connected, > and to retrieve any commands from the IRC channel. > > Via IRC, the author or distributor of the worm can obtain system information > including the computer name, product name, product identifier, product key, > registered owner, registered organization, system root path, version, > version number, ICQ identification numbers, ICQ nicknames, victim's email > address, and Dial Up Networking username and passwords. In addition, being > connected to IRC opens a security hole in which the client can potentially > be used to receive and execute files. > > Repair Information > > To remove the PrettyPark worm: > > On the Windows taskbar, click Start > Run. > Type REGEDIT, then click OK. > Modify the following Registry value: > > HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ shell\open\command > > and change > > files32.vxd "%1" %* > > to > > "%1" %* > > For clarity, these seven characters are the following: double quote, percent > sign, the numeral one, double quote, space, percent sign, and asterisk. > Don't forget the space. > > > Delete the PrettyPark.exe file. > Restart your computer. > Delete the \Windows\System\Files32.vxd file. > > > > > > > -------------------------------------------------------------------------- -- > http://www.sharechat.co.nz/ New Zealand's home for market investors > To remove yourself from this list, please us the form at > http://www.sharechat.co.nz/forum.html. > ---------------------------------------------------------------------------- http://www.sharechat.co.nz/ New Zealand's home for market investors To remove yourself from this list, please us the form at http://www.sharechat.co.nz/forum.html.
References
|
© Copyright 1997-2024 MoneyOnline Ltd - All Rights Reserved
See IRG research reports
