This worm infects Windows 95x/NT files and arrives via email and appears as an icon of the character "Kyle" from the cartoon "SouthPark".
The worm attempts to email itself every 30 minutes to everyone in a users Outlook Express address book.
Also, the worm attempts to connect to an IRC server and once on the ther server the worm's athor can get such informations as the computer name, registered owner, registered organization, system root path and Dial Up Networking usernames and passwords.
How do you know if you are infected?
You will receive an email with the subject line "C:\CoolProgs\PrettyPark.exe".
When the program is run, it copies itself to FILES32.VXD in the WINDOWS\SYSTEM folder. Next, it modifies the registry key value "command" located in HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open from "%1" %* to FILES32.VXD "%1" %*. This cases FILES32.VXD to run during the execution of any .exe file.
How do you get rid of it?
*Rename the registry editing programs from their original .EXE to a .COM extension*
1) Identify the files associated with this trojan as detected by the virus scan.
2) Open an MS-DOS prompt via the menu or click on START | RUN and type COMMAND and press enter.
3) Start Regedit by typing REGEDIT in Windows 95/98 or REGEDT32 in Windows NT.
4) Remove references to the trjan from the following:
HKEY_CLASSES_ROOT\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
They should contain only the value and not brackets ["%1" %*]
5) If applicable, remove any keys that run the main trojan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServ
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
6) If applicable, delete HKEY_CLASSES_ROOT\.dl if it exists
7) Exit Regedit
8) If applicable, edit WIN.INI and remove any reference to the worm from the Windows section
9) If applicable, edit SYSTEM.INI and remove any reference from the shell=line in the boot section (it should just contain the file EXPLORER.EXE)
10) Restart the system
11) Delete the worm programs. If you get an error that Windows cannot delete a particular file than you have to repeat the above procedure.