The 'PrettyPark' also known as 'Trojan.PSW.CHV' is an Internet worm, a
password stealing trojan and a backdoor at the same time. It was reported
to be widespread in Central Europe in June 1999.
PrettyPark spreads itself via Internet by attaching its body to
e-mails as 'Pretty Park.Exe' file. Being executed it installs itself
to system and then sends e-mail messages with its copy attached to
addresses listed in Address Book and also informs someone (most likely
worm author) on specific IRC servers about infected system settings
and passwords. It also can be used as a backdoor (remote access tool).
When the worm is executed in the system for the first time, it looks
for its copy already active in memory. The worm does this by looking
for application that has "#32770" window caption. If there is no such
window, the worm registers itself as a hidden application (not visible
in the task list) and runs its installation routine.
While installing to system the worm copies itself to \Windows\System\
directory as FILES32.VXD file and then modifies the Registry to be run
each time any EXE file starts when Windows is active. The worm does
this by creating a new key in the HKEY_CLASSES_ROOT. The key name is
exefile\shell\open\command and it is associated with the worm file
(FILES32.VXD file that was created in the Windows system folder). If
the FILES32.VXD file is deleted and Registry is not corrected no EXE
file will ever be started in Windows further on.
In case of error during installing the worm activates the SSPIPES.SCR
screen saver (3D Pipes). If this file is missing, the worm tries to
activate 'Canalisation3D.SCR' screen saver.
Then the worm opens Internet connection and activates 2 its routines.
Further on theseinits socket (Internet) connection and runs its
routines that are activated regularly: the first one once per 30
seconds, another one - once per 30 minutes.
The first routine that activates once in 30 seconds tries to connect
to one of IRC chat servers (see the list below) and to send a messages
to someone if he is present on any channel of this chat server. This
allows worm author to monitor infected computers.
The list of IRC servers the worm tries to connect to:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk
The worm may be also used as a backdoor (remote access tool) by its
author. It can send out system configuration details, drives list,
directories info as well as confidential information: Internet access
passwords and telephone numbers, Remote Access Service login names and
passwords, ICQ numbers, etc. The backdoor is also able to
create/remove directories, send/receive files, delete and execute
them, etc.
The second routine, which is activated once per 30 minutes, opens
Address Book file, reads e-mail addresses from there, and sends
messages to these addresses. The message Subject field contains the
text:
C:\CoolProgs\Pretty Park.exe
The message has an attached copy of the worm as Pretty Park.EXE
file. If someone receives this message and runs the attached file
his system becomes infected.
[Analysis: AVP, F-Secure and DataRescue teams]