This is a worm virus spreading via Internet. It appears
as a PrettyPark utility attached to email. Being executed it installs itself
into
the system, then sends infected messages
(with its attached copy) to addresses listed in Windows Address Book, informs a
user on some IRC
channel about system settings and passwords, and also may be used as a
Backdoor.
The worm itself is a Windows PE executable file about 37Kb of length. This file
is compressed by the WWPack32 utility. Being unpacked it appears
to be a 58Kb EXE file written in Delphi, the "pure" code in the file
occupies just about 45Kb. Despite on this short enough size for Delphi
application, the worm has many features that make it a very dangerous and fast
spreading program.
When the worm is executed in the system for the first time, it looks for its
copy already installed in the system memory. The worm does that by
looking for application that has "#32770" window caption. If there is
no such window, the virus registers itself as a hidden application
(not visible in the task list) and runs its installation routine.
While installing into the system the worm copies its file to the Windows system
directory with the FILES32.VXD filename and registers it in the
system registry to be run each time any another application starts. The virus
does that by creating a new key in the HKEY_CLASSES_ROOT, the key
name is exefile\shell\open\command and it is associated with the worm copy with
the FILES32.VXD file that was created in the Windows system folder.
This file has .VXD extension, but it is not a VxD Win95/98 driver but
"true" Windows executable.
In case of error while installing the worm activates the SSPIPES.SCR screen
saver (to hide its activity?). If there is no such file found, the
worm tries to activate the Canalisation3D.SCR screen saver.
The worm then inits socket (Internet) connection and runs its routines that are
activated: the first one once per 30 seconds, another one -
once per 30 minutes.
The first of these routines each time when it is activated tries to connect
some IRC chat (see the list below), and by special requests
send a messages to a user on these channels. In this way worm author seems to
catch affected stations to monitor them. The list of IRC
servers the worm tries to connect looks as followed:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk
Being recognized by the host (virus author) the worm may be manipulated as a
Backdoor trojan horse. By a set of commands it sends to the
remote host system configuration, disk list, directories info, as well as
confidential information: Internet access passwords and telephone
numbers, Remote Access Service login names and passwords, ICQ numbers, e.t.c.
The backdoor also is able to create/remove directories,
send/receive files, delete and execute them, e.t.c.
The second routine, which is activated once per 30 minutes, opens the Windows
Address Book file, reads Internet addresses from there, and
sends a message to them. The message Subject field contains the text:
C:\CoolProgs\Pretty Park.exe
The message itself contains nothing but the attached copy of the worm.