There have been several reports about the PrettyPark.Worm program recently. This worm was first reported to be in the wild early summer. However, even though antivirus program have support for detecting this worm, it still spreads.

Recently it was reported to spread heavily in Switzerland and Germany.

This worm spreads through e-mails as the attachment PrettyPark.exe. It infects computers running Windows 95/98 and Windows NT. When the attachment is launched, this action takes place:

• It creates the file FILES32.VXD to Windows System directory (default is C:\WINDOWS\SYSTEM).
• It changes a registry setting so that the file FILES32.VXD is run each time an EXE file is run.
• It may display a screensaver.
• It tries to e-mail itself to all entries in the address book every 30 minutes.
• It tries to connect to a IRC server and join a specific IRC channel. While connected the user is in danger of being compromised, as information about his/her computer environment may be revealed.

Norman Virus Control has detected this worm for several months. The removal of the worm however has to be done semi-manually by performing these steps in this order:

1. Download the file PARKFIX.REG by right clicking on it.,
2. Run the file PARKFIX.REG from "My Computer" by double clicking on it.
3. Verify the message that appears on the screen about adding information to the registry with OK
4. Reboot the computer.
5. Delete the files 'windir'\SYSTEM\FILES32.VXD (default is c:\windows\system) and PrettyPark.exe.

(Security info updated 28 March and 7 April 2000)

Per Olav Førland