NAME: PrettyPark
 ALIAS: CHV, Pretty Park
 The 'PrettyPark' which is also known as 'Trojan.PSW.CHV' is an Internet
 worm, a password stealing trojan and a backdoor at the same time. It has
 been reported to be widespread in Central Europe in June 1999.
 Pretty Park is spread via intenet. It attachs itself to e-mails as
 'Pretty Park.exe'. Being executed it installs itself to system and then
 sends e-mail messages with its copy attached to addresses listed in
 Address Book and also informs someone (most likely worm author) on
 specific IRC servers about infected system settings and passwords. It
 also can be used as a backdoor (remote access tool).

 The first time the worm is executed it looks for its copy already active
 in memory.  The worm does this by looking for application that has
 "#32770" window caption. If there is no such window, the worm registers
 itself as a hidden application (not visible in the task list) and runs
 its installation routine.

 While installing to system the worm copies itself to \Windows\System\
 directory as FILES32.VXD file and then modifies the Registry to be run
 each time any EXE file starts when Windows is active. The worm does this
 by creating a new key in the HKEY_CLASSES_ROOT. The key name is
 exefile\shell\open\command and it is associated with the worm file
 (FILES32.VXD file that was created in the Windows system folder). If the
 FILES32.VXD file is deleted and Registry is not corrected no EXE file
 will ever be started in Windows further on.

In case of error during installing the worm activates the SSPIPES.SCR screen saver (3D Pipes)
If this file is missing, the worm tries to activate 'Canalisation3D.SCR' screen saver