|
| |
PrettyPark
The PrettyPark virus includes an attachment called
"PrettyPark.EXE" that transfers the victim to a chat room without their
knowledge. Once in the
chat room, the virus appears to make data from the victim's computer
available to the virus writer or distributor. The kinds of data made
available, according to ZDNet, include address book lists, system
preferences, registration numbers, passwords, and stored autofill form
information which could include credit card information.
PrettyPark spreads in a manner similar to the Melissa virus. It accesses the victim's
electronic mail address book and tries to send itself to all of the listed addresses every
30 minutes.
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
I-Worm.PrettyPark
(info taken from AVP)
This is a worm virus spreading via Internet. It appears as a PrettyPark utility attached
to email. Being executed it installs itself into the system, then sends infected messages
(with its attached copy) to addresses listed in Windows Address Book, informs a user on
some IRC channel about system settings and passwords, and also may be used as a Backdoor.
The worm itself is the Windows PE executable file about 37Kb of length. This file is
compressed by WWPack32 utility. Being unpacked it appears to be a 58Kb EXE file written in
Delphi, the "pure" code in the file occupies just about 45Kb. Despite on this
short enough size for Delphi application, the worm has many features that make it a very
dangerous and fast spreading program.
When the worm is executed in the system for the first time, it looks for its copy already
installed in the system memory. The worm does that by looking for application that has
"#32770" window caption. If there is no such window, the virus registers itself
as a hidden application (not visible in the task list) and runs its installation routine.
While installing into the system the worm copies its file to the Windows system directory
with the FILES32.VXD filename and registers it in the system registry to be run each time
any another application starts. The virus does that by creating a new key in the
HKEY_CLASSES_ROOT, the key name is exefile\shell\open\command and it is associated with
the worm copy with the FILES32.VXD file that was created in the Windows system folder.
This file has .VXD extension, but it is not a VxD Win95/98 driver but "true"
Windows executable.
In case of error while installing the worm activates the SSPIPES.SCR screen saver (to hide
its activity?). If there is no such file found, the worm tries to activate the
Canalisation3D.SCR screen saver.
The worm then inits socket (Internet) connection and runs its routines that are activated:
the first one once per 30 seconds, another one - once per 30 minutes.
The first of these routines each time when it is activated tries to connect some IRC chat
(see the list below), and by special requests send a messages to a user on these channels.
In this way worm author seems to catch affected stations to monitor them. The list of IRC
servers the worm tries to connect looks as followed:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk
Being recognized by the host (virus author) the worm may be manipulated as a Backdoor
trojan horse. By set of commands it sends to the remote host system configuration, disk
list, directories info, as well as confidential information: Internet access passwords and
telephone numbers, Remote Access Service login names and passwords, ICQ numbers, e.t.c.
The backdoor also is able to create/remove directories, send/receive files, delete and
execute them, e.t.c.
The second routine, which is activated once per 30 minutes, opens the Windows Address Book
file, reads Internet addresses from there, and sends a message to them. The message can be
sent not only to private email addresses, but to Internet conferences also, that depends
on the Address Book contents only. The message Subject field contains the text:
C:\CoolProgs\Pretty Park.exe
The message itself contains nothing but attached copy of the worm.
|
