Email-Worm.Win32.PrettyPark

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet. It appears as a PrettyPark
utility attached to an e-mail. Being executed, it installs itself into the
system, then sends infected messages (with its attached copy) to addresses
listed in Windows Address Book, informs a user on some IRC channel about
system settings and passwords, and also may be used as a Backdoor.

The worm itself is Windows PE executable file about 37Kb in length.
This file is compressed by a WWPack32 utility. Being unpacked, it appears to
be a 58Kb EXE file written in Delphi, the “pure” code in the file occupies
just about 45Kb. In spite of this short size for a Delphi application,
the worm has many features that make it a very dangerous and fast spreading
program.

When the worm is executed in the system for the first time, it looks for
its copy that has already been installed in the system memory. The worm does this by
looking for an application that has the “#32770” window caption. If there is no
such window, the virus registers itself as a hidden application (not
visible in the task list) and runs its installation routine.

While installing into the system, the worm copies its file to the Windows
system directory with the FILES32.VXD filename and registers it in the
system registry to be run each time any other application starts. The
virus does that by creating a new key in the HKEY_CLASSES_ROOT, the key
name is exefileshellopencommand, and it is associated with the worm copy
with the FILES32.VXD file that was created in the Windows system folder.
This file has a .VXD extension, but it is not a VxD Win95/98 driver, but, rather, a
“true” Windows executable.

In case of error while installing, the worm activates the SSPIPES.SCR screen
saver (to hide its activity?). If there is no such file found, the worm
tries to activate the Canalisation3D.SCR screen saver.

The worm then initiates a socket (Internet) connection and runs its routines that
are activated: the first one once per 30 seconds, and the other once per 30
minutes.

The first of these routines, each time when it is activated, tries to connect
some IRC chat (see the list below) channel, and, by special requests, send a message
to a user on these channels. In this way, the worm’s author seems to catch
affected stations to monitor them. The list of IRC servers the worm tries
to connect is as follows:


irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk

Being recognized by the host (virus author), the worm may be manipulated as
a Backdoor Trojan horse. By a set of commands, it sends a system configuration, a disk list, directories info, as well as confidential
information to the remote host: Internet access passwords and telephone numbers, Remote Access
Service login names and passwords, ICQ numbers, etc. The backdoor also is
able to create/remove directories, send/receive files, delete and execute
them, etc.

The second routine, which is activated once per 30 minutes, opens the
Windows Address Book file, reads Internet addresses from there, and sends a
message to them. The message can be sent not only to private e-mail
addresses, but to Internet conferences also, depending on the Address
Book contents only. The message Subject field contains the text:


C:CoolProgsPretty Park.exe

The message itself contains nothing but an attached copy of the worm.