Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

South Park Worm

Information about South Park worm:

                     South Park is an Internet worm, uses Microsoft Outlook and other different techniques like copying "South Park.exe" to floppy drives and Mapped drives to spread. The worm is 19,968 bytes long and written in Visual Basic. It needs "MSVBVM50.dll" to spread otherwise it will show dll missing error. The e-mail attachment name will be "South Park.exe".

                     While opening the e-mail attachment, the worm will copy "South park.exe" to all mapped drives and it creates "winguard.exe", Windowsstart.dll", "Windowssystem.dll" and "s.bat" files in the C drive's root directory. The dll files contain the date and infection count information and the batch file will contain routines to make the Floppy disk bootable. The "winguard.exe" is stored as a Hidden System file.

                     Then it changes the registry settings so that the the "c:\winguard.exe" is automatically executed when the system is restarted. It creates a temporary file c:\v.reg to modify registry information and then deletes it. The registry modifcations are given below.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run windll="c:\winguard.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run windll="c:\winguard.exe"

                     It opens the Microsoft Outlook Address book and sends email to all the email Ids stored. The message subject will be "Servus Alter!", the message body will be "Hier ist das Spiel, das du unbedingt wolltest! ;-)" and the attachment name will be "South Park.exe". The e-mail message is written in German language.

                     In case of floppy drive, the worm periodically checks "South Park.exe", if not found it runs "s.bat" to make the disk bootable and creates "Autoexec.bat". The floppy disk "Autoexec.bat" contains the following code

@echo off
copy South Park.exe C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\South Park.exe
cls
del autoexec.bat

                     Some times it failed to put the entire path. In case of other Mapped drives it checks for "South Park.exe" periodically, if not found it copies to the root directory.

                     The payload of this worm is somewhat different. It creates "Swapfile.vxd" in windows directory and fills with garbage "D" upto the entire hard disk. So the windows will show Hard disk full alert message.

                  Our Technical team has found that more attacking capablity is dormant in this virus and it could activate in different forms. Further details about this worm will be updated soon.

Remvoing South Park worm from your system:

                     Fire has incorporated I-Worm.SouthPark into its virus signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file from our web site.

                     You can check the system manually. This worm creates "South Park.exe" in the root directory of all Mapped drives. Either the presence of "south park.exe" or "swapfile.vxd" or unusal floppy drive acessing ensures you are infected with this worm. A free utility is available to detect and clean this virus in Download Center.

Go to top of the page
Bottom image.