Pretty Park

Right to the fix!

Indications Of Infection
Emails containing this Internet worm have this format:

-------------
Subject: C:\CoolProgs\Pretty Park.exe

Test: Pretty Park.exe :)

-------------

This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value "command" located in the location:

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open

from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file.

See this related description of W32/Pretty.worm.unp.

Method Of Infection
Direct execution of the file "Pretty Park.exe" will install to the local system as mentioned above.

Removal Instructions
The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system. The following procedure should remove the Trojan. With Windows 95/98, the registry can be loaded and edited using the program named REGEDIT while in Windows NT, you use REGEDT32

1) Identify and note the files associated with this trojan as detected by the scanner - do not remove the trojan at this time. If you have already removed the trojan, you will not be able to run REGEDIT steps below on the affected system. Proceed instead to step 11 listed below.

2) Open an MS-DOS prompt via the menu or click on START|RUN and type COMMAND and then

3) At the prompt, type START COMMAND and press and then start Regedit in Windows 95/98 by typing REGEDIT or in Windows NT type REGEDT32 and press

4) Remove references to the trojan from these keys of the registry

HKEY_CLASSES_ROOT\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

They should contain only the value not including brackets ["%1" %*].

5) If applicable, remove any keys that run the main trojan under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

And

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

6) If applicable, delete the registry key if it exists

HKEY_CLASSES_ROOT\.dl

and exit Regedit

7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.

8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.

9) Restart the system.

10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again.

11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste):

REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"

12) Save this file to the Windows folder of the affected system as the file "UNDO.REG".

13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry.

Virus Information

	Discovery Date:	5/26/99
	Origin:	France
	Length:	37,376
	Type:	Trojan
	SubType:	worm
	Risk Assessment:	Medium

Variants

Name	Type	Sub Type	Differences
Unknown

Aliases
I-Worm.PrettyPark, Pretty Worm, PrettyPark

Related Viruses
W32/Pretty.Worm

Related Downloads
None

Related Images
None

Minimum Dat
4029

Minimum Engine
4.0.25