Mary, et. al.:

I do not normally reply to all with emails, but in this case I felt it appropriate.

PrettyPark.Worm (aka Trojan Horse, aka W32.PrettyPark) is an email worm affecting Windows 95, 98, and NT machines. Recipients receive a message from an associate and open the attached file, which many have reported believing to be an animation based on the popular “South Park” television series. (I cannot confirm this at this time.)

PrettyPark.Worm originally surfaced in late May of this year in France, and quickly spread across Europe and to the States.

PrettyPark.Worm installs a file named FILES32.VXD in the \Windows\System directory, and modifies the Windows registry key used to control how .EXE files are launched so that the .VXD file is used when launching the .EXE, insuring the infection is active.

When active, PrettyPark.Worm will attempt to email itself (the file

PRETTYPARK.EXE) to everyone in the user’s address book every 30 minutes.

Also, PRETTYPARK.EXE will attempt to initiates a connection to an Internet Relay Chat (IRC) channel every 30 seconds, where information about the infected computer may be retrieved covertly.

The online scanners from antivirus.com and mcafee.com, as well as most recently-updated virus scanners, will detect PrettyPark.Worm. Removal (especially when using the online scanners) is complicated by the fact that Windows is using the infected file, thus preventing removal.

A number of sites have listed instructions for removal of PrettyPark.Worm; however, in my own experience with cleanup operations this morning, the instructions given should be modified. Here are the modified instructions.

DO NOT attempt them yourself unless you feel comfortable working with the Windows registry.

1) Using regedit (which may be launched by selecting Start->Run, and entering “regedit” in the line), find the key HKEY_LOCAL_MACHINE

\Software

\Classes

\exefile

\shell

\open

\command

For the value for the key listed as “(Default)”, you will see >FILES32.VXD “%1″ %*” and the “<").

2) Edit the value for (Default) to remove “FILES32.VXD” AND THE SPACE THAT FOLLOWS, so that the new value is >”%1″ %*” and the “<", including the quotes around the first item).

3) Close regedit.

4) Exit to MS-DOS mode

(For the next steps, which all occur at an MS-DOS prompt, enter the command given between the quotes.)

5) “cd c:\windows\system”

6) “del FILES32.VXD”

7) “exit”

-Albert Croft

Cox Internet