PrettyPark.Worm
Virus Name: PrettyPark.Worm
Aliases: Trojan Horse, W32.PrettyPark
Region Reported: Europe
Characteristics: Trojan Horse, Worm
Description:
This is a worm program that behaves similar to Happy99 Worm. This worm program was originally spread by email spamming from a French email address. The attached program file is named "PrettyPark.EXE". The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France.
When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. It will also try to connect to an IRC server every 30 seconds and connect to a specific IRC channel. This connection can potentially be used maliciously.
Norton AntiVirus users can protect themselves from PrettyPark.Worm by downloading the current virus definitions either through LiveUpdate or from the following web page:
http://www.symantec.com/avcenter/download.html
Norton AntiVirus will detect PrettyPark.Worm as �Trojan Horse� with June 1, 1999 virus definitions.
Removing this worm manually:
Delete WINDOWS\SYSTEM\FILES32.VXD Using REGEDIT, modify the Registry entry
KEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
from FILES32.VXD "%1" %* to "%1" %*
You may launch REGEDIT through Windows Start-menu-RUN. Then search for "FILES32.VXD" in REGEDIT.
Delete the "Pretty Park.EXE" file. Reboot your computer.
You need to do step #2 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD
Safe Computing:
This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by Norton AntiVirus, using the latest virus definitions.
Write-up Updated by:Raul K. Elnitiarta & Eric Chien
June 2, 1999