W32.PrettyPark (a.k.a Pretty Park)
Download my free PrettyParkCleaner (740kb) Freeware
Click here (43kb) if you already have the MSVBVM50.dll
file
(Win98 users use this link)
Pretty Park is a privacy invading worm. Every 30 seconds, it tries to e-mail itself to the e-mail addresses in your Microsoft Outlook address book. It has also been reported to connect your machine to a custom IRC channel for the purpose of retrieving passwords from your system.
Pretty Park arrives as an e-mail attachment. Double clicking the PrettyPark.exe or Files32.exe program infects your computer. You may see the Microsoft Pipes screen saver after running the executable. Don't run the program and you won't get infected.
People running Microsoft Windows95, Windows98, or WindowsNT are at risk. MacOS and WebTV are immune to the virus.
What exactly does the virus do to my computer?
When you run PrettyPark, the file Files32.vxd is placed in your Windows System directory. This file is actually a copy of the e-mail attachment. Then the following value is changed in your system's registry which tells Windows to run Files32.vxd every time any .exe file is ran. The value "%1" %* is changed to FILES32.VXD "%1" %* in the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Is there a way that I can protect myself?
Yes. Purchase one of the leading virus program.
Is there a way to tell if I have the virus?
Yes. Look for the presence of the Files32.vxd file inside your Windows System directory or download my PrettyPark cleaner.
Is there a way that I can clean my computer?
Yes, you can follow these instructions OR download my free PrettyPark cleaner and run it.
1) Click the Start Menu - Run
2) Type regedit and click OK
3) Locate the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
4) Double click (Default) on the right and replace the current value
with the following:
"%1" %*
5) Click OK and exit the registry
6) Restart the computer
7) Click the Start Menu - Find - File or Folders
8) Type Files32.vxd and click Find Now
9) Delete the file Files32.vxd
*** If you failed to make the necessary registry change and are unable to run any programs because your machine can not locate Files32.vxd, download this file and open it. It will make the necessary change and allow you to run .exe files again.
How does the PrettyParkCleaner work?
In a nutshell, the cleaner works by searching for the Files32.vxd file inside your Windows System directory. If Files32.vxd is present then it gets deleted. This is accomplished by placing an entry in the "wininit.ini" file. This .ini file allows you to store instructions for Windows to carry out upon startup, before other programs are ran. All PrettyPark.exe and Files32.exe files (which contain the PrettyPark virus) are searched for and deleted. Before the cleaner finishes, the proper registry value is restored to the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
How do I remove the PrettyParkCleaner from my machine?
All you need to do is to delete the file which you downloaded and all traces of the cleaner will be gone.
What can I do to protect myself in the future?
Get a good anti-virus scanning program with active protection. These programs will scan files as they are saved to your computer's storage devices, including incoming e-mail attachments. If you've gotten away without any virus protection so far, then you've been lucky! (or perhaps not and you are just not aware of what's on your machine). With the new propagation methods that have been used by recent viruses, many other viruses, worms, and Trojans are sure to surface and spread like wild fire over the next few years.
Network Associates McAfee's VirusScan, and Norton Anti-Virus,
are two of the best and most popular virus scanners on the market. I use McAfee's
VirusScan. Their automated update and upgrade features are very handy and
the program is straightforward and easy to use. Please follow the links bellow
to learn more about these programs.
Norton Anti-Virus 2000 (FREE after rebate) downloadable
Tons of other (FREE after rebate) software downloadable
Is there anything more I should do?
Yes! These programs can only do their jobs if you keep their virus definitions up to date. A program's virus definition list is basically a text file that contains a list of all known viruses "in the wild" and tells the program how to recognize these viruses. A number of new viruses are discovered every day, so it is recommended that you update your program's virus definitions at least once a month. The first of the month is recommended as most software manufacturers release new virus definitions on that day. A number of the software titles can now be scheduled to update themselves. However, you must be connected to the Internet at the time that they run their updates.
If you liked the program, found it useful, or would just like to say thank you, then feel free to send a $1 bill (US currency only please) to:
Craig Schmugar
P.O. Box 84
Northbrook, IL 60065
I am not responsible for any adverse effects that come about as a result of using this information or the PrettyParkCleaner application.
The PrettyParkCleaner and this web site was constructed by Craig Schmugar, the Technical Support Consultant for the School of Journalism at Northwestern University.
Questions, or Comments? Send mail to: craig@getvirushelp.com
©
1999 Craig Schmugar. All Rights Reserved.