Pretty Park is back

New virus is not destructive, but it might flood email services as it spreads
Written by ZDNet UK, Contributor

It's back. The W32/Pretty.worm.unp (aka W32.PrettyPark) is back as a variant containing an unpacked version of the executable. Masquerading as an image of Kyle from the cartoon series South Park, the W32/Pretty.worm.unp is a fairly standard email worm that forwards itself to everyone in your address book. While the virus isn't destructive, it can cause surges in email volume, which in turn can cause bandwidth problems if many computers on the same network are infected.

Pretty Park arrives as a message from someone who has your email address in his or her address book; the attached file shows up with a picture of Kyle from South Park for an icon. Because the virus arrives as an attachment from someone you know, you might be tempted to let down your guard and open the attached program -- but don't. In general, unless you're expecting a file, don't ever open an email attachment, especially an executable file. And, to be safe, you should scan every email attachment you receive, regardless of the source.

There are clues that the Pretty Park message contains a virus. For starters, the subject line reads "C:\CoolProgs\Pretty Park.exe", although the file may also show up as PRETTY~1.EXE. It's interesting to note that one rarely receives messages with a file name and path as the header. The next clue to the virulence of the message comes from the message itself, "Test: Pretty Park.exe :)", which is followed by the name of the sender. Again, this isn't a typical message someone you know would be likely to send you.

Should you be unfortunate enough to execute the PRETTY PARK.EXE file, you may see the Windows screensaver pipes, or you may see nothing. Meanwhile, the virus hooks into your system so that it will execute at startup, and then begins sending itself to everyone in your address book. While it's emailing, it will also try to log into IRC. Once connected to IRC, the author of the virus could scan your system to find your dial-up networking usernames and passwords, and other, less-sensitive information.

Cleaning up isn't too much trouble, though. If you have a commercial anti-virus package, the latest update should have a fix for this one. You can download the latest anti-virus software updates from ZDNet Updates.com and free demos of the leading anti-virus programs from the Software Library. If not, you'll have to break out a few Windows tools and make a go of a self-cleaning job.

Your first task is to fire up the Windows registry editor (REGEDIT.EXE for Windows 9x or REGEDT32.EXE for NT). You can execute these programs from the run command on the start button, or by typing in the program name at an MS-DOS prompt. The main part of the infection will be found in the registry keys that are used for automatic program loading. While installing, the virus will have copied itself to FILES32.VXD -- this is the name to look for while editing your registry. Be careful as you work, because any programs that are legitimately loaded at Windows startup will be listed under these keys, and you don't want to delete those. Infected registry keys will read: files32.vxd ""%1" %*. However, you'll want to replace it with the string, including the quotation mark, ""%1" %*.

The keys you need to check to see if they contain FILES32.VXD are:

HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile \shell\open\command\ HKEY_LOCAL_MACHINE\Software\CLASSES\exefile \shell\open\command\ KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run\

You'll also need to delete the registry key set up by the virus and the whole entry:


Finally, take a look at your WIN.INI. Check under the [Windows] heading, and see if FILES32.VXD is listed in the "run=" command. Also check over your SYSTEM.INI file to see if FILES32.VXD had added itself under the [boot] section to the "shell=" line. The only thing that belongs on the "shell=" line is EXPLORER.EXE.

Once you've scrubbed your registry and system files, then reboot. Now use the Windows Explorer, or start button, find files command to search for two files. First, search all local rewritable drives for FILES32.VXD. Delete every instance. Now search for "PRETTY*.*". Delete every PRETTY PINK.EXE or every PRETTY~1.EXE. Now, hit Outlook or Outlook Express and make doubly certain that the virus email is deleted from every folder. Empty the deleted items folder. Close Outlook or Outlook Express. Empty the Recycle Bin. Reboot again for safe keeping, and you're done.

By the way, if you do get infected, resist temptation and don't send and apology email to everyone in your inbox -- they've heard from you enough for one day.

See also Pretty Park Cleaner 1.03 and CleanPrettyPark 1.02

What do you think? Tell the Mailroom and read what others have to say.

Editorial standards