Pretty Park

This is a combination beast: a worm, a password-stealing Trojan, and a backdoor. June 1999 it was active across Europe and another outbreak was noted March 2000. There are a number of variants.

As a worm, the beast attaches itself to E-mail messages as the file PRETTY PARK.EXE. The associated icon shows a character from the cartoon show South Park.

When first run, the worm looks for an active copy in memory. If not found, it registers itself as a hidden application (i.e., it won't show up in the Windows Task List) and runs its install routine. This routine copies the worm to your Windows System directory as the file FILES32.VXD and then modifies the registry so that this file runs when any EXE file executes. (If you just delete FILES32.VXD and don't fix the registry then EXE files won't run any longer.)

If an error occurs during install the worm tries to run the 3D Pipes screen saver (SSPIPES.SCR) and, if not found, the CANALISATION3D.SCR screen saver.

Continuing, the worm next opens an Internet connection and runs two routines; one every 30 seconds and the other every 30 minutes. The first attempts to make an IRC chat connection to one of 13 servers. An attempted message is sent and via this the worm author could monitor which computers are now infected. The IRC server list includes:

irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk

As a backdoor, the worm can be used as a complete remote access tool. System information can be sent out, directories created/removed, files sent/deleted and executed. In short, if you can do it, the worm author can also.

The 30-minute routine accesses your Outlook address book and sends messages with the worm attached to those in your address book. The Subject is "C:\CoolProgs\Pretty Park.exe" and the EXE worm file is attached. Anyone running the attachment gets infected.

Overall, a nasty beast; best left alone!