With increasing frequency, PC-WELT readers complain about antivirus programs being unable to remove the widely-spread computer bugs Pretty_Park and Subseven. The programs do identify these bugs, but after cleaning the computer, the machine can’t be used anymore. This is especially astonishing since both bugs have been well known for quite some time. PC-WELT has tested the most important antivirus programs on the market and established that most of them failed to remove these bugs.
The developers of the programs don’t take responsibility for this problem and limit themselves to pointing users in the direction of their Web sites, where tools for removing the bugs can be found. Antivirus vendors also refuse to update their software programs to allow them to fight these viruses. We offer some suggestions to help you in case of an infection. You should consider these suggestions right away, because it’s not a good idea to surf the Internet when your computer is infected with Subseven. In this text we use the word “infected” for both kinds of bugs, worms and Trojan horses, even though a Trojan horse doesn’t actually spread like a virus.
Pretty_Park is a worm, similar to a virus, and sends itself out via e-mail to users. It was first detected in July 1999, and it’s still considered one of the most damaging viruses around. It is still spreading widely.
On the other hand, Subseven is a backdoor, or Trojan horse, which gives other people unlimited access to your computer. The backdoor program, also known as Backdoor-G, was first detected in April 1999. Like Pretty_Park, it is often found in the wild.
As different as these both bugs are, they have one thing in common. Both bugs are difficult to get rid of in a safe way since they redirect the file extension “.exe” to themselves by using registry entries. When the user tries to start an .exe program, the parasite will first be started and execute the intended program. After removing the bugs, the chain will be interrupted and no .exe file can be executed any more.
PC-WELT has tested a half-dozen of the most important antivirus programs carefully. AVP, AntiVir, McAfee Scan, Norman Virus Control, Symantec Corp.’s Norton Anti Virus and Sophos were tested to establish whether they could protect a PC against the worm Pretty_Park and the backdoor Subseven successfully or not.
First, one of the bugs was planted on a computer with Windows 98. Then all the antivirus programs were installed, one after the other, in their latest versions, including all updates. Then, the next bug was planted and we repeated the tests. We started a fresh Windows 98 installation every time before installing the bugs and antivirus programs.
The result was crushing: Although all programs detected Pretty_Park and Subseven, nearly all of the programs ruined the computer. After cleaning out the bugs, either no .exe file could be executed again or the system crashed. Only AntiVir was able to remove Pretty_Park and leave the computer system running without failure afterwards.
AntiVir was the only program pointing the user exemplary to the dangers and special features of that worm, in addition to removing it completely. However, AntiVir failed to clean out Subseven, and it also left the computer ruined after trying. The same thing happened when we tested all the other antivirus programs.
Anyhow, Sophos referred to a phone support by a screen message if further help was needed.
So if your computer is infected, you will have a serious problem cleaning it up. Most antivirus programs misled the user by giving hints and comments that the user should do this and that. If the user follows these instructions, he is led directly into a catastrophic situation where no programs can be started at all.
Even an emergency floppy with a protection program to restart the system didn’t work in this case. Every single program on the floppy deleted the parasites from the system, but none of the programs working under DOS or Linux operating systems could restore the registry. As a result, the computer could be started, but no program could be executed again.
Shocked by this bad result, we confronted the developers. We asked the programmers and virus researchers for exact and current information. Their excuses were almost more surprising than the bad behavior of the programs.
Most of them were not surprised by our test results, but protested against the testing method itself. They are offering tools on their Web sites that can solve these problems, they said.
The vendors may know about the tools on their Web sites, but the user, who has every right to expect complete protection from the antivirus developers, doesn’t. If a backdoor virus program is already running in the background on your computer, and the whole world can access your system, it’s very dangerous to go online to seek and download special tools. When you start trying to clean the computer, it is too late. Your computer is already open to hackers.
Some manufacturers say that they are working on developing an antivirus program that does a complete cleaning of systems, including the registry, but it still takes some time.
In our point of view, this task should not be too difficult. Thus, we do not understand why months and years should be needed. Furthermore, when running an antivirus program, the user should initially be informed about the peculiarities of the virus and not be encouraged to clean the virus. This would serve the user better. The virus would still be active, of course, but other emergency arrangements can be taken, since at least the system is not dead.
Another excuse was that Subseven is a backdoor program. So it is not a virus but a Trojan horse. The manufacturers sell antivirus programs, not anti-Trojan or anti-backdoor programs, they said.
Such technical sophistication scorn the user who often pays 50 to 100 marks for an antivirus program which certainly tries to detect and clean out bugs that are not exactly viruses. If the program tries but fails to accomplish this task, how can the manufacturer say that it’s not their business?
A few years ago, there were similar problems with viruses like W95/CIH.1003. Most antivirus programs detected the virus within a few days, but until today, only very few antivirus programs achieved a complete removal. To update the program to detect the virus in the memory, the developers needed from a month up to several years. Thus changes in the antivirus program only benefited some users.
What You Can Do
We have compiled a list of links to the developers of the antivirus programs that seemed to work best.
We recommend the special cleaning program from Norton Anti Virus for removal of the Pretty_Park worm, because it is easiest to use and removes the worm even from the memory. If Subseven or Pretty_Park has infected your system, you are recommended to download a .reg file from McAfee’s home page and then execute it. This repairs your registry, and you can start .exe files again.
Pretty_Park worm ( http://www.avp.ch/avpve/worms/ppark.stm)
No information about Subseven backdoor available.
General virus information ( http://www.antivir.de/vireninfo/index.htm)
No further information available, because the link to the corresponding descriptions is deactivated at the moment.
Subseven backdoor ( http://vil.nai.com/villib/dispvirus.asp?virus_k=10171)
Pretty Park worm ( http://vil.nai.com/villib/dispvirus.asp?virus_k=10175
Here you can download the file UNDO.ZIP which includes a repaired version of the registry ( http://download.nai.com/products/Mcafee-Avert/undo.zip).
Instructions: Unpack the file, and then start the attached file with the ending .reg (double click on the explorer). Click “Yes” to repair the registry so that you can execute .exe programs again.
Norman Virus Control:
Home page ( http://www.norman.com)
No further information available.
Norton Anti Virus:
Program to remove the Pretty_Park worm
Instructions: Unpack the file in a temporary directory and start it. The worm will be removed from the memory and hard drive, and the registry will be repaired. Thereafter, the computer should be rebooted and the system should be checked by a virus program again.
Instructions for this program can be found at
Subseven backdoor ( http://www.sophos.com/virusinfo/analyses/trojsubseven.html)
Pretty_Park worm ( http://www.sophos.com/virusinfo/analyses/w32pretty.html)
Batch file pretty.bat to remove the Pretty_Park worm
Instructions: Execute the program on a infected computer (if possible not in a DOS window but under plain DOS mode) and restart the system.
The original text in German can be found at http://www.pcwelt.de/content/artikel/artvirus/200008kapitulation31072000001.
Prices listed are in US currency.