Parent class: VirWare
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:- file viruses
- boot sector viruses
- macro viruses
- script viruses
Class: Email-Worm
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Description
Technical Details
This is a virus-worm that spreads via the Internet. It appears as a PrettyPark utility attached to an e-mail. Being executed, it installs itself into the system, then sends infected messages (with its attached copy) to addresses listed in Windows Address Book, informs a user on some IRC channel about system settings and passwords, and also may be used as a Backdoor.
The worm itself is Windows PE executable file about 37Kb in length. This file is compressed by a WWPack32 utility. Being unpacked, it appears to be a 58Kb EXE file written in Delphi, the "pure" code in the file occupies just about 45Kb. In spite of this short size for a Delphi application, the worm has many features that make it a very dangerous and fast spreading program.
When the worm is executed in the system for the first time, it looks for its copy that has already been installed in the system memory. The worm does this by looking for an application that has the "#32770" window caption. If there is no such window, the virus registers itself as a hidden application (not visible in the task list) and runs its installation routine.
While installing into the system, the worm copies its file to the Windows system directory with the FILES32.VXD filename and registers it in the system registry to be run each time any other application starts. The virus does that by creating a new key in the HKEY_CLASSES_ROOT, the key name is exefileshellopencommand, and it is associated with the worm copy with the FILES32.VXD file that was created in the Windows system folder. This file has a .VXD extension, but it is not a VxD Win95/98 driver, but, rather, a "true" Windows executable.
In case of error while installing, the worm activates the SSPIPES.SCR screen saver (to hide its activity?). If there is no such file found, the worm tries to activate the Canalisation3D.SCR screen saver.
The worm then initiates a socket (Internet) connection and runs its routines that are activated: the first one once per 30 seconds, and the other once per 30 minutes.
The first of these routines, each time when it is activated, tries to connect some IRC chat (see the list below) channel, and, by special requests, send a message to a user on these channels. In this way, the worm's author seems to catch affected stations to monitor them. The list of IRC servers the worm tries to connect is as follows:
irc.twiny.net irc.stealth.net irc.grolier.net irc.club-internet.fr ircnet.irc.aol.com irc.emn.fr irc.anet.com irc.insat.com irc.ncal.verio.net irc.cifnet.com irc.skybel.net irc.eurecom.fr irc.easynet.co.uk
Being recognized by the host (virus author), the worm may be manipulated as a Backdoor Trojan horse. By a set of commands, it sends a system configuration, a disk list, directories info, as well as confidential information to the remote host: Internet access passwords and telephone numbers, Remote Access Service login names and passwords, ICQ numbers, etc. The backdoor also is able to create/remove directories, send/receive files, delete and execute them, etc.
The second routine, which is activated once per 30 minutes, opens the Windows Address Book file, reads Internet addresses from there, and sends a message to them. The message can be sent not only to private e-mail addresses, but to Internet conferences also, depending on the Address Book contents only. The message Subject field contains the text:
C:CoolProgsPretty Park.exe
The message itself contains nothing but an attached copy of the worm.
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com