I just received an email from a fellow Inman researcher. It was a virus that has attacked her system and her email list in Outlook Express. This means that some of you may also have received this email. It has a file attached called Pretty Park.exe. DO NOT click on this file. You should NEVER click on an .EXE file in email unless you know what the file is - regardless of who sends it to you. The sender does not know it is being sent and you are the victim of a computer hoax and virus. I have copied the page from McAfee.com about this virus. If you have this on your system, then you should get a virus cleaner and check your system. I hope this helps. Sorry about the earlier blank message. I hope you only got it once. -------------------------------------------------------------------- Virus Characteristics *March 2, 2000 Update: AVERT has received numerous samples of this Internet worm. Many users reporting this worm are also users of Outlook Express. This is the unpacked edition of the originally packed W32/Pretty.worm Internet worm.* This is an Internet worm that installs on Windows 9x/NT systems. It arrives via email from affected users who have also run this Internet worm. It appears as an icon of a character from the animated comedy series Southpark. Emails containing this Internet worm have this format: ------------- Subject: C:\CoolProgs\Pretty Park.exe Test: Pretty Park.exe :) ------------- Attached is the file Pretty park.exe and in some cases Pretty~1.exe. This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Windows address book associated with Outlook Express. A second function of this worm is that it will also try to connect to several IRC servers and send data packets to the connected server. While your system is connected to the Internet, it is sending and listening to random ports on both UDP and TCP ports. The range is from 1000 to 4900 (or at least so far in testing) and is a random assigned port. First it will choose a random port on UDP and/or TCP, then it will listen to that port, next it will respond with a packet to that port then close it. This happens approximately once every 30 seconds or so. The time intervals are not specific and appear to be random as well. In testing, the following IRC servers are connected to just for a few seconds and are also chosen at random: banana.irc.easynet.net:6667 irc.ncal.verio.net:6667 irc.stealth.net:6667 irc.twiny.net:6667 irc1.emn.fr:6667 krameria.skybel.net:6667 mist.cifnet.com:6667 zafira.eurecom.fr:6667 While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords. Users should download 4067 DAT set or above for detection and removal of this Internet worm. --- This email is going to Jim's email list and to the Rootsweb List which is why you might get two copies. Please go to <a href="http://inman.surnameweb.org/guest/guestlist.html">http://inman.surnameweb.org/guest/guestlist.html</a> if you wish to be removed from this list. If you have questions you can email me at <a href="mailto:inman@surnameweb.org">inman@surnameweb.org</a>.