Pretty Park is a email worm similar to the Happy99.exe worm. It comes in the form of an email attachment with the name prettypark.exe, files32.exe, or prettyorg.exe. Windows users are susceptible to the worm. Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.

It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel. Through the IRC connection, the author of the worm could obtain system information, including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victim's email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.

It creates a file called files32.vxd in the C:\Windows\System directory and modifies the following registry key located at

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

from "%1" %* to files32.vxd "%1" %*

A new variant of the Pretty Park Worm also creates a similar change to the following registry key.

HKEY_CLASSES_ROOT\exefile\shell\open\command

Manual Removal

Follow these instructions in the exact order, and as always, I claim no responsibility for you not understanding the instructions completely and wrecking havoc with your system. Changes to the registry should only be done by someone who understands the consequences of a mistake in the registry.

1. On the Windows taskbar, click Start > Run.
2. Type REGEDIT, then click OK.
3. Modify the following Registry value:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\
   Classes\exefile\shell\open\command
   
   and change
   
   files32.vxd "%1" %*
   
   to
   
   "%1" %*
   
   These seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space.
4. Repeat the above step for the following Registry Key
   
   HKEY_CLASSES_ROOT\exefile\shell\open\command
   
5. Using the File Command under the Start Menu, Find and Delete the PrettyPark.exe file.
6. Restart your computer.
7. Using Windows Explorer or the Find Command under the Start Menu, find and delete the \Windows\System\Files32.vxd file.