Privacy Software Corporation Security Advisory
Tuesday, February 29, 2000
 
 PRETTYPARK 2 INTERNET WORM/TROJAN

SYNOPSIS:

 "Prettypark 2" is a variation of the original "Prettypark" internet worm which made the rounds early in 1999. This new variant has been compressed by its perpetrators in order to elude antivirus and antitrojan programs which use the "pattern match" method of detection by changing the original Prettypark worm so that it no longer matches the pattern expected by these programs. Because our BOClean product uses proprietary methods, BOClean already detects this variant and no update is required to deal with it.

 The Prettypark.exe trojan will arrive attached to an email to you. It is usually sent to you by a trusted, close friend. THE PERSON WHO EMAILED YOU THE PRETTYPARK TROJAN DOES NOT HAVE ANY IDEA THAT THE EMAIL WAS SENT TO YOU because Prettypark sent the email, not the person the email appears to have been sent by! The person infested with Prettypark will not know it's there and Prettypark gives no indication that it has sent itself to others in your mailing list.

 NOTE: Once you have removed Prettypark from YOUR system, notify everyone in your address book that they should check for Prettypark on their machine and under no circumstances should they run the enclosed prettypark.exe file they received in your name. At the time of this bulletin, *NO* antivirus or antitrojan program other than our BOClean product will detect the presence of this on their machine. It is expected that the antivirus vendors will react with an update at a later time.

 Prettypark is contained in a rogue ActiveX control called FILES32.VXD. Prettypark functions by inserting a load instruction into the windows registry so that every time you click on a program to start it, Prettypark will load another instance of itself each time. Once started, Prettypark will go through your address book and will try to send a copy of itself to everyone in the list on average every half hour as a background task. Your email program will not be brought up when it does this. The TROJAN portion of this worm operates through Internet Relay Chat (IRC) offering your machine to a specificly configured "channel" on IRC. At this point, anyone monitoring that particular channel can possibly connect to your machine and access data from your computer.

MANUAL REMOVAL OF PRETTYPARK:

 Prettypark is a difficult trojan to remove manually because improper removal can render the machine impossible to use owing to the hook in the registry. If the FILES32.VXD ActiveX control is removed BEFORE the registry has been repaired, then any attempt to start any standard EXE program fails because this trojan passes through instructions to the system and if removed, can no longer do so. Please be VERY careful if you attempt manual removal of the trojan.

 To remove the trojan, please follow the following instructions: 



 1. Click on the start button, select RUN.



 2. Type in REGEDIT /V in the window requesting the name of

    the program you want to run. Hit enter.



 3. Regedit will appear, consisting of two "panes," One on the

    left, one on the right. In the left pane, click on the +

    inside a square next to HKEY_CLASSES_ROOT. (usually on top)



 4. A long listing of "subkeys" will now appear in the left box.

    Scroll down until you locate the one marked "exefile."



 5. You will see a + next to "exefile" ... click it. More items

    will appear.



 6. You will see "shell" with a + next to that. Click it. Yet

    more items will appear.



 7. Click on the + next to "open" and you will now see a subkey

    WITHOUT a + marked "command."



 8. Click on the folder icon next to "command."



 9. Now look at the bigger "pane" on the right. You should see an

    item in there marked "(Default)" and next to it under a "data"

    heading the following:

 

    FILES32.VXD "%1" %*



10. Move the cursor to where it says "(Default)" and doubleclick

    on the word "(Default)". This will bring up an "Edit string"

    dialog.



11. CAREFULLY remove the FILES32.VXD and ONE space after it,

    leaving ONLY "%1" %* remaining in the edit box. Once you have

    removed the FILES32.VXD and the one space trailing it, click

    on OK to save the corrected entry in the registry.



12. Back in the left "pane," scroll back up towards the top and

    look for .dl (with a . in front of dl) and if found, click

    on ".dl" so it is highlighted.



13. If found, RIGHT click your mouse on the highlighted .dl

    entry. A popup menu will appear. Select DELETE and confirm

    the delete operation. Be SURE you click on ".dl" and no

    other entry in the registry. If ".dl" is not found, don't

    worry.



14. Close REGEDIT.



15. Now use the file explorer and navigate to the C drive, then

    the WINDOWS folder, and finally the SYSTEM folder. If your

    copy of windows refuses to show the files, click on the

    SHOW FILES link in the window to get there.



16. Look for a file called FILES32.VXD and delete it.



17. Removal is complete enough to prevent this trojan from running

    again unless you run the prettypark.exe file again. To prevent

    this, delete the attachment from your email folder.

Use of Privacy Software Corporation's BOClean program will safeguard against this and over 300 other trojan horse programs automatically without having to go through all this and without risk of damage.

COPYRIGHTED MATERIAL:

Copyright (c) 2000 by Privacy Software Corporation.

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the Prettypark.exe distribution as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. A written request must be sent to Privacy Software Corporation in order for us to cooperate. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.



TOP