[All About PC] Virus Pretty.worm.unp

Latest Reviews

ABIT VP6

ASUS A7V133

EPOX 8KTA3+

DEEP OCEAN SCREEN SAVER

Reviews

Mainboards:
	EPOX 8KTA3+
	ASUS A7V133
	ABIT VP6
	PC133 ON BX-BOARDS
Graphics Cards:
	ABIT SILURO T400
CD-ROM:
	ASUS CD-S500/A
	TEAC CD-540E
	MITSUMI FX 4820
CD-Writers:
	PLEXWRITER 12/10/32A
	MITSUMI CR-4805TE
	MITSUMI CR-4804TE
	LG CED-8042B
Software:
	DEEP OCEAN SCREEN SAVER

Virus Descriptions

	LOVELETTER
	PLAGE2000
	W32/MELTING
	W32/MYPICS
	W32/NEWAPT
	W32/PRETTY
	BABYLONIA
	SANTANA
	W97M/LENNI
	W97M/MELISSAT
	W97M/MICHAEL-B
	W97M/PRILISSA
	FUNLOVE
	WIN95.SMASH

Danger
Diffusion

The unpacked version of the W32/PrettyPark.worm

W32/Pretty.worm.unp:

virus name	W32/Pretty.worm.unp
operating systems	Windows 9x/NT
aliases	I-Worm.Prettypark.unp, Pretty Park.exe, Southpark Trojan
type	Trojan, worm

Infection:
The virus is transfered via E-mail. As soon as the attachment is opened the payload is started. The attachment contains an .EXE-file, which is represented by Kyle from SouthPark. The Email looks like:

Subject:	C:\CoolProgs\Pretty Park.exe
Text:	Test Pretty Park.exe :)
Attachment:	(sometimes "Pretty^~1.exe", too)

Payload:
The virus tries to send E-mails to all adresses in the Outlook adressbook every 30 minutes.
A second routine tries to connect to the IRC-server. If it gets a connection, it tries to hold it by sending data, to gat all commands from the IRC-channel. As long as this is possible, the virus author could use the virus as a trojan. He can get information from you, such as computer name,registered users, passwords etc.

Deleting the virus:

Use a virusscan and note all infected virusfiles. Do not remove the virus! If you did, follow steps 10-12.
Start Regedit (Start => Run => 'Regedit' or 'Regedt32' under NT)
Remove the references of the virus from the following registry keys:
HKEY_CLASSES_ROOT\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command (if exists)

All this keys should only contain the value "%1%*".
If possible, remove all keys, that start the virus, under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Remove the registry key (if it exists)
HKEY_CLASSES_ROOT\.dl
and close the registry-editor.
Edit the WIN.INI under Windows und delete all references to the virus under the run-line in [windows].
Edit the SYSTEM.INI und remove the virus from the shell-line under [boot].
Restart your PC.
Remove all virusprograms (find under 1). If a removal is impossible, retry 1-8.
If you have deleted the virus before correcting the registry, you should repair this immediately. Start your PC in MS-DOS mode and create a file UNDO.REG. Edit this file by entering the following commands:
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"
Save the file in the windows directory as UNDO.REG.
Start Windows and start (Start => Run) the UNDO.REG-file. The registryfiles should be imported.

Remarks:
The virus is the unpacked version of the virus W32/PrettyPark.worm.

more reports:
http://vil.nai.com/vil/wm98500.asp

Copyright by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any reproduction or publication without the agreement of the editorial office is prohibited. Please respect the work of others.
Although all information on this website is hardly recherched and mostly checked and confirmed from secondary side, we do not take the responsibillity for any damage originated from the use of the information on our site.