South Park computer virus discoveredgreenspun.com : LUSENET : TB2K spinoff uncensored : One Thread
-- viewer (firstname.lastname@example.org), March 08, 2000
South Park computer virus discovered
From: Newsbytes News Network
By Sylvia Dennis
McAfee's AVERT (anti-virus emergency response team) division has issued a warning on the SouthPark worm, a variant of the PrettyPark worm discovered earlier this year. The IT security alert operation, a division of Network Associates, said that the warning is a high-risk one, owing the potential of SouthPark to create e-mail storms. Classified officially as the Pretty.worm.unp worm, the SouthPark worm is known as such because it contains an icon of a character from the animated comedy series.
McAfee says that the worm, which can cause severe network slowdowns when an organization's network is infected, has already been found in numerous Fortune 1000 companies in North America, as well as government organizations, universities and Internet companies. The firm said SouthPark is an Internet worm that installs on Windows 9x/NT systems, and as with most worms, its symptoms may not be obvious to unsuspecting users. The executable arrives via e-mail from affected users who have also run this Internet worm.
E-mails containing this Internet worm have this format:
Subject: C:/CoolProgs/Pretty Park.exe
Test: Pretty Park.exe :)
Attached is the file "Pretty park.exe" and in some cases "Pretty~1.exe."
McAfee said that the worm appears as an attachment with an icon of the South Park character "Kyle." Unlike Melissa, which only spread itself once to the first 50 people in a user's address book, SouthPark sends itself to the entire address book every 30 minutes, potentially causing e-mail storms.
Outlook Express users should look for the e-mail subject line "C:/coolprogs/prettypark.exe." The worm creator, the IT security firm said, has used social engineering techniques by making the e- mail appear to come from a user known to the recipient.
A second function of this worm is that it will also try to connect to an IRC (Internet relay chat) server and join a specific IRC channel. While connected, McAfee said that the worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access Trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and dial up networking username and passwords.
Immediate cures for this virus can be found online at the McAfee AVERT site at http://vil.nai.com/vil/wm98500.asp .
McAfee users, meanwhile, should employ the 4067 DAT file with the 4025 scanning engine to stop potential e-mail storms, which can crash systems.
Copyright ) 2000, Newsbytes News Network LLC. All rights reserved.
-- (Bigmouth@work.yet), March 08, 2000.