This page shows details and results of our analysis on the malware W32/Pretty.worm.unp


This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation


This is an Internet worm that installs on Windows 9x/NT systems. It arrives via email from affected users who have also run this Internet worm. It appears as an icon of a character from the animated comedy series Southpark. Emails containing this Internet worm have this format:

Subject: C:\CoolProgs\Pretty Park.exe

Test: Pretty Park.exe :)

Attached is the file Pretty park.exe and in some cases Pretty~1.exe.

This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Windows address book associated with Outlook Express.

A second function of this worm is that it will also try to connect to several IRC servers and send data packets to the connected server. While your system is connected to the Internet, it is sending and listening to random ports on both UDP and TCP ports. The range is from 1000 to 4900 (or at least so far in testing) and is a random assigned port. First it will choose a random port on UDP and/or TCP, then it will listen to that port, next it will respond with a packet to that port then close it. This happens approximately once every 30 seconds or so. The time intervals are not specific and appear to be random as well. In testing, the following IRC servers are connected to just for a few seconds and are also chosen at random:


While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.


Emails containing this Internet worm have this format:

Subject: C:\CoolProgs\Pretty Park.exe

Test: Pretty Park.exe :)


This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value command located in the location:


from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file.

See this related description of W32/Pretty.worm.

Method of Infection

Direct execution of the file "Pretty Park.exe" will install to the local system as mentioned above.


The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.

One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.

To repair the registry via a registry script file, download this UNDO.REG file, and open it.

--- Manual Removal Instructions ---

1) Identify and note the files associated with this trojan as detected by the scanner.

2) Click START|RUN, type

and hit ENTER

3) Click START|RUN, type REGEDIT.COM and hit ENTER

4) Remove references to the trojan from these keys of the registry



They should contain only the value not including brackets
[''%1'' %*].

5) If applicable, remove any keys that run the main trojan under



HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
Installed Components\KeyName\

6) If applicable, delete the registry key if it exists


and exit Regedit

7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.

8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.

9) Restart the system.

10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again.