Sorry everyone, I received the Pretty Park Trojan Virus and didn't know about it, so of course it attached itself to all my email addresses. I received the following for getting rid of the virus if anyone did happen to open the EXE file that was sent out. Again my apologies Linda Melbourne Australia http://vil.nai.com/villib/alpha.asp Profile Name W32/Pretty.Worm Aliases I-Worm.PrettyPark, Pretty Worm, PrettyPark Variants None Date Added 6/8/99 Information Discovery Date: 5/26/99 Origin: France Length: 37,376 Type: Trojan SubType: worm Risk Assessment: Medium Minimum DAT: 4029 Minimum Engine: 4.0.25 Characteristics This is a worm that infects Windows 9x/NT files. It arrives via email from infected users. It appears as an icon of a character from the animated comedy series "Southpark". Symptoms This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value "command" located in the location: HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file. This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Internet address book. A second function of this worm is that it will also try to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords. Method Of Infection Direct execution of the file "Pretty Park.exe" will install to the local system as mentioned above. Removal Instructions The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system. The following procedure should remove the Trojan. 1) Identify and note the files associated with this trojan as detected by the scanner - do not remove the trojan at this time. If you have already removed the trojan, you will not be able to run REGEDIT steps below on the affected system. Proceed instead to step 11 listed below. 2) Run REGEDIT.EXE 3) Remove references to the trojan from the (Default) key of the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command\ It should read "%1" %* 4) Remove any keys that run the main server executable under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 5) Delete the registry key if it exists HKEY_CLASSES_ROOT\.dl 6) Exit Regedit 7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section. 8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE. 9) Restart the system. 10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again. 11) In the event that the trojan was deleted before making the registry changes, it is still possible to repair the registry. You will need access to another computer, or at a minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create a file called UNDO.REG with the following content (you can cut and paste): REGEDIT4 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" 12) Save this file to the Windows folder of the affected system as the file "UNDO.REG". 13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents of UNDO.REG should be now imported to the registry.