W32/Parrot-A

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

and remove any references to any file you deleted.

Close the registry editor.

W32/Parrot-A is an email-aware worm and companion virus.

The worm arrives in an email with the subject line "Parrot screensaver". The body of the email message contains the text "Hehe hey, look at this screensaver :)". The infected attached filename is
parrot.scr.

The worm attempts to send itself to all contacts in the Microsoft Outlook address book, and drops a mIRC (Internet Relay Chat) script which will attempt to send the worm file C:\parrot.scr to other mIRC users.

The companion virus renames files in the Windows directory, renaming .EXE files to .PRT (for instance, calc.exe to calc.prt) and copies itself to the original filename.

The virus also drops an audio file which is opened and played when the virus is run. Furthermore, the virus drops a VBS file which displays a message box which includes offensive text about anti-virus researcher Graham Cluley. The text of the message includes

"You better not fuck on the table Graham Cluley, you son of a bitch. I don't even know the lady and she calls me a son of a bitch!".

The virus changes the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

so that the dropped audio file is opened and the dropped VBS script is run on Windows startup.