PrettyPark spreads itself via Internet by attaching its body to
e-mails as 'Pretty Park.Exe' file. The file has the icon showing
a character or the famous cartoon serial called South Park.
Being executed it installs itself to system and then sends e-mail
messages with its copy attached to addresses listed in Address
Book and also informs someone (most likely worm author) on
specific IRC servers about infected system settings and
passwords. It also can be used as a backdoor (remote access
When the worm is executed in the system for the first time, it looks
for its copy already active in memory. The worm does this by looking
for application that has "#32770" window caption. If there is no such
window, the worm registers itself as a hidden application (not visible
in the task list) and runs its installation routine.
While installing to system the worm copies itself to
\Windows\System\ directory as FILES32.VXD file and then modifies
the Registry to be run each time any EXE file starts when Windows
is active. The worm does this by modifying an EXE file startup
command key in the HKEY_CLASSES_ROOT. The key name is
exefile\shell\open\command and it is associated with the worm
file (FILES32.VXD file that was created in the Windows system
folder). If the FILES32.VXD file is deleted and Registry is not
corrected, the EXE files would not start any more.
In case of error during installing the worm activates the SSPIPES.SCR
screen saver (3D Pipes). If this file is missing, the worm tries to
activate 'Canalisation3D.SCR' screen saver.
Then the worm opens Internet connection and activates 2 its routines.
Further on theseinits socket (Internet) connection and runs its
routines that are activated regularly: the first one once per 30
seconds, another one - once per 30 minutes.
The first routine that activates once in 30 seconds tries to connect
to one of IRC chat servers (see the list below) and to send a messages
to someone if he is present on any channel of this chat server. This
allows worm author to monitor infected computers.
The list of IRC servers the worm tries to connect to:
The worm may be also used as a backdoor (remote access tool) by its
author. It can send out system configuration details, drives list,
directories info as well as confidential information: Internet access
passwords and telephone numbers, Remote Access Service login names and
passwords, ICQ numbers, etc. The backdoor is also able to
create/remove directories, send/receive files, delete and execute
The second routine, which is activated once per 30 minutes, opens
Address Book file, reads e-mail addresses from there, and sends
messages to these addresses. The message Subject field contains the
The message has an attached copy of the worm as Pretty Park.EXE
file. If someone receives this message and runs the attached file
his system becomes infected.
Upon disinfection of this worm F-Secure Anti-Virus first restores
the EXE startup Registry key to its default value and then
renames the worm's file. Disinfection is done automatically and
doesn't need any input from a user. Please note that earlier
versions of F-Secure Anti-Virus do not modify the specified
Registry key themselves. So if you still have a problem with this
registry key and you are unable to start EXE files in Windows
please download and run the special REG file to solve the
After downloading you need to run (double-click or press 'Enter'
when the cursor is placed on the needed file) the PPDISINF.REG
file from Windows Explorer. Note, that the .REG extension might
not be shown if you don't have 'Show All Files' option on.
Alternatively you need to click on 'Start' button, then on 'Run'
menu and either input the location of PPDISINF.REG file manually
(for example C:\PPDISINF.REG) or to find it with 'Browse' button.
After the location is entered you need to click on 'Ok' button
and the REG file will be run solving your Pretty Park problem. If
you have problems locating or running the downloaded file please
consult a more experienced computer user.
You can also use a free version of F-Prot for DOS to remove
Pretty Park worm from an infected system. It is a requirement to
perform disinfection from pure DOS and to run the above listed
REG file before exiting Windows.
For successful disinfection all files detected as Pretty Park
should be deleted from an infected system.
[Analysis: AVP, F-Secure and DataRescue teams, 1999-2001]