The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

We Build the Best & Repair the Rest! ©

Top 10 malware reported to Sophos in May 2000

This section helps you to understand how it behaves

On execution of the virus, the file FILES32.VXD is dropped in the Windows system directory, and the registry key is changed. This has the effect of making sure the virus is resident every time a program is executed. If the virus is not being executed as a result of this registry key, it will launch the 3d pipes screen saver if it is available.

Behind the scenes the virus will activate 2 routines. The first will email a copy of the virus to all the addresses in the Windows address book. The email has the subject: "C:\CoolProgs\Pretty Park.exe" and the body: "Test: Pretty Park.exe :)" It also has the virus as a file attachment, with the filename "Pretty Park.exe" and the icon:

The second routine connects an IRC server from the following list:

irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk

Once connected, the virus author can use the virus as a backdoor to the infected user's machine. They can find out the information about the computer, such as Computer name, Operating System version, ICQ number, email address, dial up username and password, etc. Additionally they can download, upload, and execute files.

To disinfect this virus, the registry key must be changed back before the virus files are removed, otherwise the computer will be left in a state where it is difficult to execute programs. One solution to this is to copy regedit.exe to regedit.com.

Enter your search terms Submit search form   Web www.cpucare.com

This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser.