 | |||
      
    |
|||
 |
|||
 |
 |
||
 |
|||
 |
|
|
|
  |
||
F-Secure Virus Information Pages
The 'PrettyPark' also known as 'Trojan.PSW.CHV' is an Internet worm, a password stealing trojan and a backdoor at the same time. It was reported to be widespread in Central Europe in June 1999. PrettyPark spreads itself via Internet by attaching its body to e-mails as 'Pretty Park.Exe' file. Being executed it installs itself to system and then sends e-mail messages with its copy attached to addresses listed in Address Book and also informs someone (most likely worm author) on specific IRC servers about infected system settings and passwords. It also can be used as a backdoor (remote access tool). When the worm is executed in the system for the first time, it looks for its copy already active in memory. The worm does this by looking for application that has "#32770" window caption. If there is no such window, the worm registers itself as a hidden application (not visible in the task list) and runs its installation routine. While installing to system the worm copies itself to \Windows\System\ directory as FILES32.VXD file and then modifies the Registry to be run each time any EXE file starts when Windows is active. The worm does this by creating a new key in the HKEY_CLASSES_ROOT. The key name is exefile\shell\open\command and it is associated with the worm file (FILES32.VXD file that was created in the Windows system folder). If the FILES32.VXD file is deleted and Registry is not corrected no EXE file will ever be started in Windows further on. In case of error during installing the worm activates the SSPIPES.SCR screen saver (3D Pipes). If this file is missing, the worm tries to activate 'Canalisation3D.SCR' screen saver. Then the worm opens Internet connection and activates 2 its routines. Further on theseinits socket (Internet) connection and runs its routines that are activated regularly: the first one once per 30 seconds, another one - once per 30 minutes. The first routine that activates once in 30 seconds tries to connect to one of IRC chat servers (see the list below) and to send a messages to someone if he is present on any channel of this chat server. This allows worm author to monitor infected computers. The list of IRC servers the worm tries to connect to:
irc.twiny.net irc.stealth.net irc.grolier.net irc.club-internet.fr ircnet.irc.aol.com irc.emn.fr irc.anet.com irc.insat.com irc.ncal.verio.net irc.cifnet.com irc.skybel.net irc.eurecom.fr irc.easynet.co.uk The worm may be also used as a backdoor (remote access tool) by its author. It can send out system configuration details, drives list, directories info as well as confidential information: Internet access passwords and telephone numbers, Remote Access Service login names and passwords, ICQ numbers, etc. The backdoor is also able to create/remove directories, send/receive files, delete and execute them, etc. The second routine, which is activated once per 30 minutes, opens Address Book file, reads e-mail addresses from there, and sends messages to these addresses. The message Subject field contains the text:
C:\CoolProgs\Pretty Park.exe The message has an attached copy of the worm as Pretty Park.EXE file. If someone receives this message and runs the attached file his system becomes infected. [Analysis: AVP, F-Secure and DataRescue teams]
|
