Removing the Pretty Park Virus/Worm
What is the Pretty Park Worm?
Pretty Park is a email worm
similar to the Happy99.exe worm. It comes in the form of an email
attachment with the name prettypark.exe, files32.exe, or prettyorg.exe.
Windows users are susceptible to the worm. Once the worm program is
executed, it tries to email itself automatically every 30 minutes (or
30 minutes after it is loaded) to email addresses registered in your
Internet address book.
It also tries to connect to an IRC
server and join a specific IRC channel. The worm sends information to
IRC every 30 seconds to keep itself connected, and to retrieve any
commands from the IRC channel. Through the IRC connection, the author
of the worm could obtain system information, including the computer
name, product name, product identifier, product key, registered owner,
registered organization, system root path, version, version number, ICQ
identification numbers, ICQ nicknames, victim's email address, and Dial
Up Networking username and passwords. In addition, being connected to
IRC opens a security hole in which the client can potentially be used
to receive and execute files.
It creates a file called files32.vxd in the C:\Windows\System directory and modifies the following registry key located at
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
from "%1" %* to files32.vxd "%1" %*
A new variant of the Pretty Park Worm also creates a similar change to the following registry key.
HKEY_CLASSES_ROOT\exefile\shell\open\command
Manual Removal Instructions for Pretty Park.exe
Follow
these instructions in the exact order, and as always, I claim no
responsibility for you not understanding the instructions completely
and wrecking havoc with your system. Changes to the registry should
only be done by someone who understands the consequences of a mistake
in the registry.
1. On the Windows taskbar, click Start > Run.
2. Type REGEDIT, then click OK.
3. Modify the following Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\
Classes\exefile\shell\open\command
and change
files32.vxd "%1" %*
to
"%1" %*
These seven characters are the following: double quote, percent sign,
the numeral one, double quote, space, percent sign, and asterisk. Don't
forget the space.
4. Repeat the above step for the following Registry Key
HKEY_CLASSES_ROOT\exefile\shell\open\command
5. Using the File Command under the Start Menu, Find and Delete the PrettyPark.exe file.
6. Restart your computer.
7. Using Windows Explorer or the Find Command under the Start Menu, find and delete the \Windows\System\Files32.vxd file.