Content
W32/Pretty.Worm
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 05/26/1999
- Length
- 37,376
- Minimum DAT
- 4029 (06/09/1999)
- Updated DAT
- 4029 (06/09/1999)
- Minimum Engine
- 5.1.00
- Description Added
- 06/08/1999
- Description Modified
- 04/03/2003 9:35 AM (PT)
Tab Navigation
Characteristics
--- Update April 03, 2003 ---
Avert has received a few samples from the field which have been incorrectly detected as W32/Pretty.gen@MM, using the 4255 DATS. If your scanner detects this worm and you believe it to be a false detection then please submit a sample to virus_research@avertlabs.com.
This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Windows address book which is associated with Outlook Express.
A second function of this worm is that it will also try to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.
Symptoms
Emails containing this Internet worm have this format:
-------------
Subject: C:\CoolProgs\Pretty Park.exe
Test: Pretty Park.exe :)
-------------
This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value command located in the location:
HKLM\Software\CLASSES\exefile\shell\open
from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file.
Method of Infection
Direct execution of the file "Pretty Park.exe" will install to the local system as mentioned above.
On a side note, recently there has been an email message sent to users with mis-information about the damage of Prettypark. This Internet worm does not delete files and does not damage the hard drive. Below is a copy of a message you may or not receive relating to this Internet worm; if you receive such a message, direct that individual to this description to clarify them:
-------copy of misinformed alert--------
Hi Everyone,
DO NOT OPEN "PRETTY PARK." It is a virus that
will erase your whole "C"
drive. It will come to you in the form
of an e-mail from a familiar person.
I repeat DO NOT OPEN. DELETE RIGHT AWAY.
I don't know how it gets into your address
book, but a "friend" sent it to me. Luckily for
me I had not opened it yet. She was not as
lucky and now she can't even start her computer!
Forward this to everyone in your address book.
I would rather receive this warning 25 times
then not receive it once!
-------end copy of misinformed alert--------
Removal
The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.
One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.
To repair the registry via a registry script file, download this UNDO.REG file, and open it.
1) Identify and note the files associated with this trojan as detected by the scanner.
2) Click START|RUN, type
3) Click START|RUN, type REGEDIT.COM and hit ENTER
4) Remove references to the trojan from these keys of the registry
HKCR\exefile\shell\open\command\
HKLM\Software\CLASSES\exefile\
They should contain only the value not including brackets
5) If applicable, remove any keys that run the main trojan under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
6) If applicable, delete the registry key if it exists
HKEY_CLASSES_ROOT\.dl
and exit Regedit
7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.
8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.
9) Restart the system.
10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again.
COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER
shell\open\command
[''%1'' %*].
CurrentVersion\RunServices\
CurrentVersion\Run\
Installed Components\KeyName\
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- I-Worm.PrettyPark
- Pretty Worm
- PrettyPark
- W32/Pretty.gen@MM
- W32/Pretty.worm.gen@MM
Characteristics
Characteristics -
--- Update April 03, 2003 ---
Avert has received a few samples from the field which have been incorrectly detected as W32/Pretty.gen@MM, using the 4255 DATS. If your scanner detects this worm and you believe it to be a false detection then please submit a sample to virus_research@avertlabs.com.
This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Windows address book which is associated with Outlook Express.
A second function of this worm is that it will also try to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.
Symptoms
Symptoms -
Emails containing this Internet worm have this format:
-------------
Subject: C:\CoolProgs\Pretty Park.exe
Test: Pretty Park.exe :)
-------------
This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value command located in the location:
HKLM\Software\CLASSES\exefile\shell\open
from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file.
Method of Infection
Method of Infection -
Direct execution of the file "Pretty Park.exe" will install to the local system as mentioned above.
On a side note, recently there has been an email message sent to users with mis-information about the damage of Prettypark. This Internet worm does not delete files and does not damage the hard drive. Below is a copy of a message you may or not receive relating to this Internet worm; if you receive such a message, direct that individual to this description to clarify them:
-------copy of misinformed alert--------
Hi Everyone,
DO NOT OPEN "PRETTY PARK." It is a virus that
will erase your whole "C"
drive. It will come to you in the form
of an e-mail from a familiar person.
I repeat DO NOT OPEN. DELETE RIGHT AWAY.
I don't know how it gets into your address
book, but a "friend" sent it to me. Luckily for
me I had not opened it yet. She was not as
lucky and now she can't even start her computer!
Forward this to everyone in your address book.
I would rather receive this warning 25 times
then not receive it once!
-------end copy of misinformed alert--------
Removal -
Removal -
The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.
One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.
To repair the registry via a registry script file, download this UNDO.REG file, and open it.
1) Identify and note the files associated with this trojan as detected by the scanner.
2) Click START|RUN, type
3) Click START|RUN, type REGEDIT.COM and hit ENTER
4) Remove references to the trojan from these keys of the registry
HKCR\exefile\shell\open\command\
HKLM\Software\CLASSES\exefile\
They should contain only the value not including brackets
5) If applicable, remove any keys that run the main trojan under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
6) If applicable, delete the registry key if it exists
HKEY_CLASSES_ROOT\.dl
and exit Regedit
7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.
8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.
9) Restart the system.
10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again.
COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER
shell\open\command
[''%1'' %*].
CurrentVersion\RunServices\
CurrentVersion\Run\
Installed Components\KeyName\
Variants
Variants -
N/A
