PrettyPark.Worm
This worm program behaves similarly to Happy99 Worm. It was
originally spread by email spamming from a French email address.
The first report of this worm was submitted through our exclusive
Scan & Deliver system on May 28, 1999 from France. When the
attached program file, PrettyPark.exe, is executed, it may
display the 3D pipe screen saver.
Also known as: Trojan Horse, W32.PrettyPark,
Trojan.PSW.CHV, CHV, W32/Pretty.worm.unp
Distribution
Subject of email: C:\CoolProgs\Pretty Park.exe
Name of Attachment: PrettyPark.EXE
Size of Attachment: 37,376 bytes
Target of infection: Windows Registry
Technical description
Once the worm program is executed, it tries to email itself
automatically every 30 minutes (or 30 minutes after it is loaded)
to email addresses registered in your Internet address book.
It also tries to connect to an IRC server and join a specific IRC
channel. The worm sends information to IRC every 30 seconds to
keep itself connected, and to retrieve any commands from the IRC
channel.
Via IRC, the author or distributor of the worm can obtain system
information, including the computer name, product name, product
identifier, product key, registered owner, registered
organization, system root path, version, version number, ICQ
identification numbers, ICQ nicknames, victim's email address,
and Dial Up Networking username and passwords. In addition, being
connected to IRC opens a security hole in which the client can
potentially be used to receive and execute files.
It creates a file called files32.vxd in the Windows\System
directory and modifies the following registry entry value from
"%1" %* to files32.vxd "%1" %* without your
knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\
exefile\shell\open\command
Manual removal instructions:
1.On the Windows taskbar, click Start > Run.
2.Type REGEDIT, then click OK.
3.Modify the following Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\
Classes\exefile\shell\open\command
and change
files32.vxd "%1" %*
to
"%1" %*
For clarity, these seven characters are the following:
double quote, percent sign, the numeral one, double quote,
space, percent sign, and asterisk. Don't forget the space.
4.Delete the PrettyPark.exe file.
5.Restart your computer.
6.Using Windows Explorer delete the
\Windows\System\Files32.vxd file.
Write-up by: Raul K. Elnitiarta & Eric Chien
June 1, 1999
Updated: February 28, 2000