Information About and Procedure
for removing the PrettyPark.Worm Virus/Worm

This worm usually spread by e-mail. When the attached program file, PrettyPark.exe, is executed, it may display the 3D pipe screen saver. Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.

It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victim's email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.

Repair Information

Automatic Removal of Pretty Park prettyparkcleaner.exe

To remove the PrettyPark worm manuelly:

  1. On the Windows taskbar, click Start > Run.
  2. Type REGEDIT, then click OK.
  3. Modify the following Registry value:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ shell\open\command

    and change

    files32.vxd "%1" %*

    to

    "%1" %*

    For clarity, these seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space.
  4. Delete the PrettyPark.exe file.
  5. Restart your computer.
  6. Delete the \Windows\System\Files32.vxd file.