high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
The Sophos Technical Support department has written a batch file which you can use to remove this virus.
Run the batch file, reboot, then run it again.
More Information
On execution of the virus, the file FILES32.VXD is dropped in the Windows system directory, and the registry key is changed. This has the effect of making sure the virus is resident every time a program is executed. If the virus is not being executed as a result of this registry key, it will launch the 3d pipes screen saver if it is available.
Behind the scenes the virus will activate 2 routines. The first will email a copy of the virus to all the addresses in the Windows address book. The email has the subject: "C:\CoolProgs\Pretty Park.exe" and the body: "Test: Pretty Park.exe :)" It also has the virus as a file attachment, with the filename "Pretty Park.exe" and the icon:
The second routine connects an IRC server from the following list:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk
Once connected, the virus author can use the virus as a backdoor to the infected user's machine. They can find out the information about the computer, such as Computer name, Operating System version, ICQ number, email address, dial up username and password, etc. Additionally they can download, upload, and execute files.
To disinfect this virus, the registry key must be changed back before the virus files are removed, otherwise the computer will be left in a state where it is difficult to execute programs. One solution to this is to copy regedit.exe to regedit.com.
|
