[PHPLIB] IMPORTANTE From: Herb (trix) (herb <email protected>)
Date: 11/08/99

(please, scroll down to read in english, its important,
its about an internet virus that was spread to my
contact list (address book))

Pois é galera,

Alguns receberam uma mensagem minha essa manhã
falando de um virus. Falei que não sabia
exatamente o que estava acontecendo, mas agora
sei:

Não foi nenhum engraçadinho como havia pensado,
mas sim a tusga da minha irmã que executou um
arquivo que recebeu por email, e esse arquivo
estava contaminado, ou melhor, ele próprio é
um internet worm chamado Pretty Park, também
conhecido como Trojan.PSW.CHV, e é bem chatinho,
abre seu computador para o alheio e permite
que o autor do verme obtenha suas senhas e
até apague seus arquivos, além de se espalhar
se auto-enviando por email para o address book
da pessoa que o executou (no caso, o meu address
book, onde estavam voces).

Tentei executar um antivirus, que identificou
o verme mas NÃO CONSEGUIU ELIMINÁ-LO. Abaixo
seguem instruções de como fazê-lo, se vc executou
o programa (se não executou, apenas apague o email
e esqueça tudo isso).

ATENÇÃO: Vc precisará editar o registro do windows
para seguir as instruções abaixo, então se não for
um usuário experiente, peça ajuda.

1. Clique em Iniciar, Executar
2. Digite regedit e aperte enter. O editor de
   registro do windows irá abrir.
3. Clique no + em HKEY_CLASSES_ROOT
4. Procure uma chave chamada exefile e clique
   no + ao lado dessa chave
5. Dentro dessa chave, clique no + ao lado de
   shell
6. Clique no + ao lado de open
7. Clique na chave command
8. No painel direito, clique duas vezes em
   (Padrão)
9. Na caixa de diálogo que irá abrir, remova
   o comando files32.vxd ao lado de "%1" %*
   que aparece em Dados do valor. Aperte OK

Obs.: talvez vc possa eliminar a chave command
inteira, mas tente isso por conta e risco próprios
Só estou passando o que eu fiz, e que deu certo.

10. Feche o Editor de Registro
11. Reinicie o computador
12. Apague o arquivo C:\windows\system\files32.vxd
    O passo 11. é necessario para vc poder apagar
    esse arquivo. Se não conseguir apagá-lo, é pq
    algo deu errado e o vírus continua no sistema.
13. Rode um antivirus para certificar-se da
    eliminação do carinha.

NÃO ESTOU ME CONSIDERANDO CULPADO PELA SUA INFECÇÃO
PELO VÍRUS. UM INTERNET WORM (O MAIS FAMOSO DELES É
O MELISSA) SÓ INFECTA SEU COMPUTADOR SE VC EXECUTAR
*CONSCIENTEMENTE* UM ARQUIVO RECEBIDO POR EMAIL, O
QUE NÃO PODE SER CONSIDERADO UMA PRÁTICA SEGURA.
PORTANTO ESTOU ENVIANDO ESSA MENSAGEM PARA AJUDÁ-LOS
A ELIMINAR O VIRUS, E NÃO COMO MEA CULPA)

Abaixo segue a descrição completa do virus, em inglês.

IN ENGLISH:

You receive an email with a .exe file attached from
a guy named Herb (trix), well, I, but not really me.
This file IS AN INTERNET WORM. DO NOT EXECUTE IT,
or you will be infected (well, not really you, but
your computer). Below you will read more information
about this virus. To desinfect it, maybe you need
to edit the windows register, and may need some
help to do it. Ask for someone with experience on
this. My jerk sister is the responsible for this
incovenience, and im sorry, but the best I can do,
im doing...

Name: PrettyPark
Alias: CHV, Pretty Park

The 'PrettyPark' also known as 'Trojan.PSW.CHV' is an
Internet worm, a password stealing trojan and a backdoor
at the same time. It was reported to be widespread in
Central Europe in June 1999.

PrettyPark spreads itself via Internet by attaching its
body to e-mails as 'Pretty Park.Exe' file. Being executed
it installs itself to system and then sends e-mail
messages with its copy attached to addresses listed in
Address Book and also informs someone (most likely worm
author) on specific IRC servers about infected system
settings and passwords. It also can be used as a backdoor
(remote access tool).

When the worm is executed in the system for the first
time, it looks for its copy already active in memory. The
worm does this by looking for application that has
"#32770" window caption. If there is no such window, the
worm registers itself as a hidden application (not visible
in the task list) and runs its installation routine.

While installing to system the worm copies itself to
\Windows\System\ directory as FILES32.VXD file and then
modifies the Registry to be run each time any EXE file
starts when Windows is active. The worm does this by
creating a new key in the HKEY_CLASSES_ROOT. The key name
is exefile\shell\open\command and it is associated with
the worm file (FILES32.VXD file that was created in the
Windows system folder). If the FILES32.VXD file is deleted
and Registry is not corrected no EXE file will ever be
started in Windows further on.

In case of error during installing the worm activates the
SSPIPES.SCR screen saver (3D Pipes). If this file is
missing, the worm tries to activate 'Canalisation3D.SCR'
screen saver.

Then the worm opens Internet connection and activates 2
its routines. Further on theseinits socket (Internet)
connection and runs its routines that are activated
regularly: the first one once per 30 seconds, another
one - once per 30 minutes.

The first routine that activates once in 30 seconds tries
to connect to one of IRC chat servers (see the list below)
and to send a messages to someone if he is present on any
channel of this chat server. This allows worm author to
monitor infected computers.

The list of IRC servers the worm tries to connect to:

irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk

The worm may be also used as a backdoor (remote access tool)
by its author. It can send out system configuration details,
drives list, directories info as well as confidential
information: Internet access passwords and telephone numbers,
Remote Access Service login names and passwords, ICQ numbers,
etc. The backdoor is also able to create/remove directories,
send/receive files, delete and execute them, etc.

The second routine, which is activated once per 30 minutes,
opens Address Book file, reads e-mail addresses from there,
and sends messages to these addresses. The message Subject
field contains the text:

C:\CoolProgs\Pretty Park.exe

The message has an attached copy of the worm as
Pretty Park.EXE file. If someone receives this message and
runs the attached file his system becomes infected.

[Analysis: AVP, Data Fellows and DataRescue teams]

Thats it...

herbert herb <email protected>
www.inf.ufsc.br/~herb

-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.