PrettyPark
Aliases:

Type: Worm, Trojan
Systems Affected: Windows 32-bit systems
Payload: Improper removal can lead to executables not being able to launch. Remote access Trojan leaves system vulnerable. Password-stealing Trojan can lead to security compromise.
ITW: Yes
Origin: Central Europe
Description: Spread via email as an attched file named PrettyPark.exe. The file will have the icon of a South Park cartoon character. If executed, the worm first installs itself to the Windows\System directory as FILES32.VXD and then sends a copy of itself to all addresses listed in the Outlook/Outlook Express address book. It also sends passwords and system information via IRC. PrettyPark modifies the registry to allow it to run each time any .EXE file is run. Thus, if the worm (FILES32.VXD) is deleted without correcting the registry entry, other .EXE files on the system will no longer run. While installing to system the worm copies itself to \Windows\System\ directory as FILES32.VXD file and then modifies the Registry to be run each time any EXE file starts when Windows is active. The worm does this by modifying an EXE file startup command key in the . The key name is and it is associated with the worm file (FILES32.VXD file that was created in the Windows system folder). If the FILES32.VXD file is deleted and Registry is not corrected, the EXE files would not start any more.
What to look for: Check the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command and look for the value FILES32.VXD. Also, check the Windows\System directory for the filename FILES32.VXD
How to prevent it: Do not open attachments received unexpectedly, even from known sources. Keep your antivirus software up-to-date, save and scan any attachments before opening.