Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

W32-PrPlCrcl-G Virus Hoax

W32-PrPlCrcl-G Virus Hoax

Discovered:
April 01, 2002
Updated:
February 13, 2007



This hoax began circulating April 1, 2002. (April Fools day). It may have an attached .htm file that is a fake mockup of a Symantec Security Response virus writeup.

There is no W32-PrPlCrcl-G virus. The attached page, if any, does not exist. The hoax contains valid links to several antivirus company sites in an attempt to make the hoax appear legitimate.

The hoax message is as follows:



Dear Sir/Madam,

Our automated virus scanning software has detected a virus included in an email sent by you. We have automatically notified the recipient of this, and have attempted to remove the virus from the infected email. However since this virus has just been discovered and the fact that it has been classified by Nortons/Symantec, Trend Micro/PCCillin and McAfee as the most destructive variant of this virus, we recommend that you update the virus definitions in the virus scanning software that you are using and do a complete scan on your machine.

THE DETAILS OF THE VIRUS ARE AVAILABLE ON THE ATTACHED SECURITY RESPONSE PAGE.

This virus was discovered yesterday afternoon by the Norton AntiVirus parent company Symantec and at this time, no vaccine or removal remedy has been developed. A spokesperson for Symantec said that the programming code the virus in which the virus was written in was so advanced and complex that their Security Response team were unable to say when they would be able to offer an effective solution for an infected machine.

This virus is an encrypted APR 1 executable file. When it is executed, it does the following:
  1. It adds the value W32-PrPlCrcl-G wscript.exe C:\WINDOWS\W32-PrPlCrcl-G to the registry key
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    so that it will execute on the reboot of the machine.
  2. On reboot it decrypts itself.
  3. It then creates the Winstart.bat file in the C:\Windows folder.
  4. Next, it creates the C:\Windows\Windowsuser2 folder, and copies itself to that location.
  5. It then executes the batch file. The batch file makes another copy of the virus in the \Windowsuser2 folder with the file name W32-PrPlCrcl-G.exe. At this point, it rewrites the ASCII code for the number 1 (ONE) and connects itself to all instances of the number 1(ONE) on the hard dive.
  6. It then triggers a shadow mask so that it returns only the number one to ant-virus software, masking itself from them.
  7. The virus then waits until the exact amount of the numeral 1 (ONE) on your machine reaches 142002, at this point it triggers the second half of it's payload, creating a Script.ini file in the C:\ folder.
  8. The virus replaces certain commands in the Script.ini with commands to search the hard drive and to send itself to all addresses in you address book or contacts list.
  9. Finally, it launches the second half of it's payload replacing all .com, .exe, and .scr files in all folders on the hard drive with an exact copy of itself. The replaced program files are not repairable. After it has re-written all of the files that it finds, it deletes the boot sector of the machine and freezes it. Rebooting the machine will render it inoperable.

W32-PrPlCrcl-G is written in a high-level language known as APERL1. In order to minimize the spread of this virus until a safe fix is found, it is recommended that you do not use the numeral 1. Instead it is strongly advised that the typed word "ONE" be substituted at all times.

WARNING - If your machine has the W32-PrPlCrcl-G virus, do not under any circumstances reboot your machine as this will trigger the payload of this virus and at present, there is no known remedy, once the virus has been triggered. However, we have received reports that if there is less than the trigger amount (142002) of instances of the numeral 1 (ONE) on the hard drive, these can be deleted to keep the total amount down from the trigger level. This should only be done if
the first stage of the trigger has been activated and is detailed in the attached file.

If your anti-virus software doesn't have an automatic update feature, we have listed below the update pages for the 5 most popular brands of anti-virus software.

McAfee - http:/ /download.mcafee.com/updates/updates.asp?
Nortons - http://securityresponse.symantec.com/avcenter/download.html
Dr Solomon - http:/ /download.mcafee.com/updates/4xa.asp?as=true&ref=5
PC Cillin - http:/ /www.antivirus.com/download/engines/
Doctor Web - http:/ /drweb.imshop.de/index_e.htm

If you do not currently use a virus scanning program on your machine, we strongly recommend that you install one at your earliest oportunity. The download areas for the above 5 manufacturers of virus software are listed below for your convenience. Many companies today will allow you to download a fully working eveluation copy of their software for you to try out before you purchase it.

McAfee - http:/ /software.mcafee.com/centers/download/default.asp
Nortons - http://www.symantec.com/downloads/
Dr Solomon - http:/ /mcafeestore.beyond.com/Category/0,1257,3-18-1041,00.html
PC Cillin - http:/ /www.antivirus.com/pc-cillin/download/form.asp
Doctor Web - http:/ /drweb.imshop.de/index_e.htm

Further information on viruses can be found at any of the following addresses....

http://securityresponse.symantec.com/avcenter/vinfodb.html
http:/ /www.antivirus.com/pc-cillin/vinfo/
http:/ /www.mcafee.com/anti-virus/default.asp?

----------------------------------------------------------------------------
----------------------------------------------------------------------------
Email data:
MessageID: <200203150APRIL1814554.8280118148@538995645.63489943>
Scanning part
Scanning part
Virus identity found: W32-PrPlCrcl-G
Virus identity found: WW32-PrPlCrcl-G

Scanning part
Scanning part
Please ignore any messages regarding this hoax and do not pass on messages. Passing on messages about the hoax only serves to further propagate it.
Writeup By: George Koris