[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

how to kill happy park - virus on suse list

To: "'sheflug@vuw.ac.nz'" <sheflug [at] vuw.ac.nz>
Subject: how to kill happy park - virus on suse list
From: "Paul Sims" <nospam [at] lombard.co.uk>
Date: Mon, 6 Mar 2000 13:23:31 +0000
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Organization: ICL
Reply-to: sheflug [at] vuw.ac.nz
Sender: sheflug-bounce [at] vuw.ac.nz

here is info from the Symantic virus database on happypark.exe . Those of 
us like myself accessing this list via Outlook on an NT machine at work :( 
may find this valuable if they opened the attachment.

I verified my registry as clean so as to avoid propagating the little 
bastard.

======================================================================

This worm program behaves similarly to Happy99 Worm. It was originally 
spread by email spamming from a French email address. The original report 
of this worm was submitted through our exclusive Scan&Deliver system on May 
28, 1999 from France.

When the attached program file, PrettyPark.exe, is executed, it may display 
the 3D pipe screen saver. It also creates a file called files32.vxd in the 
Windows\System directory and modifies the following registry entry value 
from "%1" %* to files32.vxd "%1" %* without your knowledge:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command
Once the worm program is executed, it tries to email itself automatically 
every 30 minutes (or 30 minutes after it is loaded) to email addresses 
registered in your Internet address book.

It also tries to connect to an IRC server and join a specific IRC channel. 
The worm sends information to IRC every 30 seconds to keep itself 
connected, and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system 
information including the computer name, product name, product identifier, 
product key, registered owner, registered organization, system root path, 
version, version number, ICQ identification numbers, ICQ nicknames, 
victim's email address, and Dial Up Networking username and passwords. In 
addition, being connected to IRC opens a security hole in which the client 
can potentially be used to receive and execute files.

Repair Information

To remove the PrettyPark worm:

On the Windows taskbar, click Start > Run.
Type REGEDIT, then click OK.
Modify the following Registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ shell\open\command

and change

files32.vxd "%1" %*

to

"%1" %*

For clarity, these seven characters are the following: double quote, 
percent sign, the numeral one, double quote, space, percent sign, and 
asterisk. Don't forget the space.


Delete the PrettyPark.exe file.
Restart your computer.
Delete the \Windows\System\Files32.vxd file.
Safe Computing


Because of Worms and Trojan Horse programs, you must practice safe 
computing. Be suspicious of executable file attachments (for example, .exe, 
.shs, or MS Word, or MS Excel files), especially ones from newsgroups or 
unknown sources. For continuous protection, always run Norton AntiVirus 
Auto-Protect and use LiveUpdate to make sure you have the latest virus 
definitions.




Norton AntiVirus users can protect themselves from this virus by 
downloading the current virus definitions either through LiveUpdate or from 
the Download Virus Definition Updates page.

Write-up by: Raul K. Elnitiarta & Eric Chien
June 1, 1999
Updated: February 28, 2000

  Tell a Friend about this Write-Up  

"WorldSecure Server <lombard.co.uk>" made the following
 annotations on 03/06/00 13:29:56
------------------------------------------------------------------------------
The opinions expressed within this email represent those of the 
individual and not necessarily those of Lombard. 

The contents of this Email may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. If received in error, please advise the sender, then delete from your system.

Should you wish to use Email as a mode of communication, Lombard are unable to guarantee the security of Email content outside of our own computer systems.  



 

==============================================================================

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

Prev by Date: Re: Red Hat 6.1
Next by Date: Kmail at last
Prev by thread: Re: MP3 Problems
Next by thread: Kmail at last
Index(es):
- Date
- Thread