(OffTopic) The PrettyPark virus

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

From Symantec;


Virus Name: PrettyPark.Worm Aliases: Trojan Horse, W32.PrettyPark Region Reported: Europe Characteristics: Trojan Horse, Worm

Description: This is a worm program that behaves similar to Happy99 Worm. This worm program was originally spread by email spamming from a French email address. The attached program file is named "PrettyPark.EXE". The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France.

When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge:


Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. It will also try to connect to an IRC server every 30 seconds and connect to a specific IRC channel. This connection can potentially be used maliciously.

Norton AntiVirus users can protect themselves from PrettyPark.Worm by downloading the current virus definitions either through LiveUpdate or from the following web page:


Norton AntiVirus will detect PrettyPark.Worm as Trojan Horse with June 1, 1999 virus definitions.

Removing this worm manually:

Delete WINDOWS\SYSTEM\FILES32.VXD Using REGEDIT, modify the Registry entry


from FILES32.VXD "%1" %* to "%1" %*

You may launch REGEDIT through Windows Start-menu-RUN. Then search for "FILES32.VXD" in REGEDIT.

Delete the "Pretty Park.EXE" file. Reboot your computer.

You need to do step #2 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD

Safe Computing:

This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by Norton AntiVirus, using the latest virus definitions.

Write-up Updated by:Raul K. Elnitiarta & Eric Chien June 2, 1999

-- Tom Carey (tomcarey@mindspring.com), June 09, 1999


Thanks for the tip and the reminder Tom, Going *Live* right now.

I just hate presents wrapped in wooden horses!

-- unspun@lright (mikeymac@uswest.net), June 09, 1999.

Moderation questions? read the FAQ