Pretty Park Worm

Andre' Kesteloot
Sat, 04 Mar 2000 15:48:36 -0500

by Dave Murphy,

Internet email users should be on the alert for a variant of
the PrettyPark worm. The new version is known as
W32/Pretty.worm.unp and it is delivered as an email
attachment. When opened, the worm spreads to all
addresses in the user's address book and mails itself
out to the addresses every 30 minutes. The flood of mail
traffic can overwhelm mail servers.

Windows NT users of Outlook Express should look for
the subject line, "C:\coolprogs\prettypark.exe" as a tip off
to having received an infected file.

W32/Pretty.worm.unp is the unpacked edition of the
original "W32/Pretty.worm" Internet worm. It was
discovered on February 15, 2000. Network Associates'
AVERT, in response to the worm's continued, rapid
spread, has upgraded its risk assessment to HIGH for
W32/Pretty.Worm.unp. This risk assessment includes
Windows 95/98/NT systems.

The worm, in addition to mailing itself to all addresses in
the email address book,  will It will attempt to connect to
an IRC server and join a pre-determined IRC channel in
such a way that the worm's author could use the IRC
connection to retrieve private information such as the
computer name, registered owner, registered
organization, system root path, and Dial Up Networking
username and passwords.

To detect and prevent adverse effects from this worm,
I recommend you download and install the most recent
anti-virus DAT files for McAfee VirusScan.

Call for Comments
What do you think? Leave your comments on the
message center:

Network Associates:
McAfee DAT Updates:
Message Center: