New Pretty Park virus in the wild

The Trojan horse, which arrives as an email attachment called prettypark.exe, has already victimised some universities and corporations
Written by ZDNet UK, Contributor

A new variant of last year's "Pretty Park" virus is making the rounds, according to anti-virus firm Network Associates. The Trojan horse, which arrives as an email attachment called prettypark.exe, doesn't delete or alter files. Instead, it sends a copy of itself to everyone in the victim's email address book every 30 minutes, which could bog down an entire network. It's spreading quickly, according to Network Associates, and has infected computers on a dozen corporate and government networks.

Pretty Park first made the rounds last year. This new outbreak -- officially labelled W32/Pretty.worm.unp -- is simply that virus delivered in uncompressed form, according to Kelly Shall, spokeswoman for Network Associates.

It was discovered in mid-February, but at the time wasn't considered to be a serious risk, Shall said. In recent days, though, infection rates have been surprisingly high. "It's spreading pretty fast," said Shall. The virus can infect users of any of the Windows platforms.

Virulent emails arrive with the subject line "C:CoolProgsPretty Park.exe" and an attached program with an icon of Kyle, one of the South Park TV series characters. Because the file appears to come from a colleague or friend, victims are being tricked into opening the file. Victims simply see an image of Kyle, but in the background the program begins spamming everyone in their address book with the attachment.

Anti-virus programs will detect the Pretty Park, however, Internet users are still cautioned to use care when opening email attachments. Martin Skov, product marketing manager for McAfee Associates, said the new version of Pretty Park initially slipped under the radar of anti-virus products precisely because it was uncompressed. Anti-virus programs don't search entire files for harmful computer code -- they search specific regions of code where virus payloads are known to lurk. In this new uncompressed version, the bad code was in a different place, making it harder to detect.

This scanning technique is used as a timesaver by McAfee, Skov said. Without it, virus scans would take up to 20 times longer. "You're talking about huge savings in scanning time by going to the known location of the file," he said. "The idea here, again, is a trade-off. You have to maximise security while minimising the impact and inconvenience," Skov added.

What do you think? Tell the Mailroom and read what others have to say.

Editorial standards