ABOUT THE VIRUS

[Guest guest]

MINE CAME FROM A MILITARY MOMMIES LOOP, YOU WOULD THINK THAT IS SAFE!

It's back. The W32/Pretty.worm.unp (a.k.a. W32.PrettyPark) is back as a variant containing an unpacked version of the executable. Masquerading as an image of from the Comedy Central series South Park, the W32/Pretty.worm.unp is a fairly standard e-mail worm, that forwards itself to everyone in your e-mail address book. While the virus is not destructive, it can cause surges in e-mail volume, which in turn can cause bandwidth problems if many computers on the same network are infected.

Pretty Park arrives as a message from someone who has your e-mail address in his or her address book, the attached file shows up with a picture of from South Park for an icon. That this virus arrives as an attachment from someone you know, you might be tempted to let down your guard and open the attached program. Don't. In general, unless you're expecting a file, don't ever open an e-mail attachment, especially an executable file. And, to be safe, you should scan every e-mail attachment you receive, regardless of the source.

There are clues that the Pretty Park message contains a virus. For starters, the subject line reads, "C:\CoolProgs\Pretty Park.exe," the file may also show up as PRETTY~1.EXE. It's interesting to note that one rarely receives messages with a file name and path as the header. The next clue to the virulence of the message comes from the message itself, "Test: Pretty Park.exe :)" which is followed by the name of the sender. Again, this isn't a typical message someone you know would be likely to send you.

Should you be unfortunate enough to execute the PRETTY PARK.EXE file, you may see the Windows screen saver pipes, or you may see nothing. Meanwhile the virus hooks into your system so that it will execute at startup, and begins sending itself to everyone in your address book. While it's emailing, it will also try to log into IRC. Once connected to IRC, the author of the virus could scan your system to find your dial up networking usernames and passwords, and other, less sensitive information.

Cleaning up isn't too much trouble. If you have a commercial anti-virus package, the latest update should have a fix for this virus. You can download the latest anti-virus software updates from ZDNet Updates.com and free demos of the leading anti-virus programs from the Software Library. If not, you'll have to break out a few Windows tools and make a go of a self-cleaning job. Your first task is to fire up the Windows registry editor (REGEDIT.EXE for Windows 9x or REGEDT32.EXE for NT). You can execute these programs from the run command on the start button, or by typing in the program name at an MS DOS prompt. The main part of the infection will be found in the registry keys that are used for automatic program loading. While installing, the virus will have copied itself to FILES32.VXD, this is the name to look for while editing your registry. Be careful as you work, any programs that are legitimately loaded at Windows startup will be listed under these keys, and you don't want to delete those. Infected registry keys will read files32.vxd ""%1" %* is the only program you find listed, you'll want to replace it with the string, including the quotation mark, ""%1" %* The keys you need to check to see if they contain FILES32.VXD are: HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile \shell\open\command\ HKEY_LOCAL_MACHINE\Software\CLASSES\exefile \shell\open\command\ KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run\ You also need to delete the registry key set up by the virus, delete the whole entry: HKEY_CLASSES_ROOT\.dl Finally, take a look at your WIN.INI. Check under the [windows] heading, and see if FILES32.VXD is listed in the "run=" command. Also check over your SYSTEM.INI file to see if FILES32.VXD had added itself under the [boot] section to the "shell=" line. The only thing that belongs on the "shell=" line is EXPLORER.EXE. Once you've scrubbed your registry and system files, reboot. Now use the Windows Explorer, or start button, find files command to search for two files. First search all local rewritable drives for FILES32.VXD. Delete every instance. Now search for "PRETTY*.*". Delete every PRETTY PINK.EXE or every PRETTY~1.EXE. Now, hit Outlook or Outlook Express and make doubly certain the virus e-mail is deleted from every folder. Empty the deleted items folder. Close Outlook or Outlook Express. Empty the Recycle Bin. Reboot again for safe-keeping, and you're done. By the way, if you do get infected, resist temptation and don't send and apology e-mail to everyone in your inbox—they've heard from you enough for one day