Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.

Description

This worm program behaves similarly to Happy99 Worm. It was originally spread by email spamming from a French email address. The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France.

When the attached program file, PrettyPark.exe, is executed, it may display the 3D pipe screen saver. It also creates a file called files32.vxd in the Windows\System directory and modifies the following registry entry value from "%1" %* to files32.vxd "%1" %* without your knowledge:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command

Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.

It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victim's email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.

Repair Information

The below link will take you to the site to download the prettypark.exe cleaner.

http://softseek.zdnet.com/Utilities/Virus_Protection/D_27745_index.html

Description Write-up by: Raul K. Elnitiarta & Eric Chien
June 1, 1999
Updated: February 28, 2000