I think I just ran a virus. How can I check to see if my system was affected. Any files to check for and what not. I have no antivirus software (i am getting some).
Shnikey

A little more info might get a better response.

What leads you to believe that you have activated a virus? As for what to check any virus software will check program files and then will offer options for other file types. Most virii reside in program files ( .exe, etc. . .)

You could start with whatever program you opened that leads you to believe you have one.

shnikey, go here: http://www.avp.com/ Trial Version, Platinum. They are updated as of today. Run it in DOS, too.

Good luck, shnikey!



[This message has been edited by socalgal (edited 01-10-2000).]

I got this message and the s
ubject line was: C:\CoolProgs\Pretty Park.exe
and the file i ran was: Pretty Park.exe(37.7kb)
the body message was: Test: Pretty Park.exe http://www.sysopt.com/forum/smile.gif

After I ran it I started getting Mail Administrator Returned mail messages when I did not even send them out. When I checked the message it sent back it had that file attached. I am trying the avp right now.
Shnikey

What I found here http://vil.nai.com/vil/vpe10175.asp

Profile

Name
W32/Pretty.Worm

Aliases
Pretty Worm, PrettyPark

Variants
None

Date Added
6/8/99

Information
Discovery Date: 5/26/99
Origin: France
Type: Virus
SubType: Win32
Risk Assessment: Medium, On Watch
Minimum DAT: 4029


Characteristics
This is a worm that infects Windows 9x/NT files. It arrives via email from infected users.


Symptoms
This program, when run, will display a "3D Pipe" screen saver and then will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value "command" located in the location:

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open

from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file.

This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Internet address book. A second function of this worm is that it will also try to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.


Method Of Infection/Installation
Direct execution of the file "Pretty Park.exe".

Removal
Removal is a manual process. Use the following registry information to repair the now modified system registry. Open NOTEPAD and cut and paste this info into a NOTEPAD file; make sure that after the content is pasted into the file that the format is not all on one line. Save the NOTEPAD file as "undo.reg" to the desktop. Double click this file to repair the registry.

----------begin,cut after this line----------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command]
@="\"%1\" %*"

----------end,cut before this line---------

* AVERT Note *
In notepad it you cut and paste this information it will paste as such

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] @="\"%1\" %*"

The problem here is that the .reg file will not work this way. It must be exactly the way it shown between the dashed lines. After repairing the registry, delete the files FILES32.VXD and PrettyPark.exe. Reboot the computer. Failure to repair the registry will cause applications not to run.


Removal Instructions
Not Available...

Perhaps an easier read.. from Symantec. http://www.symantec.com/avcenter/venc/data/prettypark.worm.html

PrettyPark.Worm

Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV
Infection Length: 37,376
Area of Infection: C:\Windows\System, Registry, Email Attachments
Likelihood: Common
Detected as of: June 1, 1999
Characteristics: Worm, PrettyPark.EXE, Files32.VXD

Description

This is a worm program that behaves similar to Happy99 Worm. This worm program was originally spread by email spamming from a French email address.

The attached program file is named "PrettyPark.EXE". The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France.

When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command
Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.

It will also try to connect to an IRC server and join a specific IRC channel. The worm will send information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victims email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.

Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with June 1, 1999 virus definitions. With the June 9, 1999 definitions or later, the worm will be detected as "PrettyPark.Worm."

Repair Information

Removing this worm manually:

Using REGEDIT, modify the Registry entry

HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command

from

FILES32.VXD "%1" %* to "%1" %*


(You may launch REGEDIT through Windows Start-menu-RUN. Then search for "FILES32.VXD" in REGEDIT.)


Delete WINDOWS\SYSTEM\FILES32.VXD
Delete the "Pretty Park.EXE" file.
Reboot your computer.
You need to do step #1 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD

Safe Computing

This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by Norton AntiVirus, using the latest virus definitions.

Thank you very much. I think it did the trick. I always tell myself do not run unknown exe files. But I did not listen. Thanks again socalgal.
Shnikey

(duplicate info deleted.....)

you all beat me to posting the same exact info..<g>

Hope that thing didnt do too much damage to your system....I would say that it is time to get a good AV prog...

[This message has been edited by commodsquad (edited 01-10-2000).]

I hope so shnikey! Perhaps put on some permanent AV ware too! http://www.sysopt.com/forum/wink.gif

hey commodsquad http://www.sysopt.com/forum/smile.gif

hey there!

first of all, i'm hoping all is well again with the system. do you still have a copy of that virus on your system anywhere, even in your deleted mail files? if so, could you please mail me a copy. i just got finished checking out a copy of the explore.zip worm and i've been wanting to get a copy of pretty park. please email me a copy of it if you still have it. thanks!

I received that same virus at work a couple months ago from my overseas agent in Taiwan (I work in the international trade industry), since I was in his email address book. While it is very common to receive attachments from all our agents overseas, this one looked particularly suspicious because of the subject line. It definitely did not look like something he would have sent. Therefore I did not open it. Luckily, our IS dept. in NY also received a copy and emailed all our offices not to open it. Unfortunately two people didn't pay attention and there PC's were affected! The moral of this story is...BEWARE OF SUSPICIOUS EMAIL! Even though it looks like it's from someone you know, chances are they didn't really send it, the virus did.

Good luck, shnikey. I hope all goes well with ridding your PC of that awful bug!

I have always been wary of EXE files. If I get a virus it is my own fault. If I send it to someone else that is my fault so I do not keep a address book in my computer, I use a ZIP disk. I loaded a trojan on one of my machines and then sent my mail to another machine it did not attach itself to the E-Mail I suppose it was because my address book was not in my machine. I am a real worry wart.
Bleep

As the moral goes one should never run EXE files. If you have to there are some simple precautions that always must be taken:

1: Do the mandatory virus scan.
2: Enable the virus killer auto protection (with "scan for suspicious activity" enabled)
3: Pull the plug! (disconnect from the internet. Easy if you are on a LAN, not so easy if you use a modem)
4: Use special utilities such as RegMon to monitor registry activity.

To psyklone, I think I did not delete but I am not sure. When I get home today I will check. Also is there any way I can check to see if damage was done- I only had it on there for 20 minutes thanks to socalgal's speedy reply.
Shnikey