Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the broken-link-checker domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /usr/home/simondi1cknow/public_html/cknow.com/cms/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the genesis domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /usr/home/simondi1cknow/public_html/cknow.com/cms/wp-includes/functions.php on line 6114
Pretty Park - Computer Knowledge

Pretty Park

This is a combination beast: a worm, a password-stealing Trojan, and a backdoor.

This is a combination beast: a worm, a password-stealing Trojan, and a backdoor. June 1999 it was active across Europe and another outbreak was noted March 2000. There are a number of variants.

As a worm, the beast attaches itself to E-mail messages as the file PRETTY PARK.EXE. The associated icon shows a character from the cartoon show South Park.

Pretty Park

When first run, the worm looks for an active copy in memory. If not found, it registers itself as a hidden application (i.e., it won’t show up in the Windows Task List) and runs its install routine. This routine copies the worm to your Windows System directory as the file FILES32.VXD and then modifies the registry so that this file runs when any EXE file executes. (If you just delete FILES32.VXD and don’t fix the registry then EXE files won’t run any longer.)

If an error occurs during install the worm tries to run the 3D Pipes screen saver (SSPIPES.SCR) and, if not found, the CANALISATION3D.SCR screen saver.

Continuing, the worm next opens an Internet connection and runs two routines; one every 30 seconds and the other every 30 minutes. The first attempts to make an IRC chat connection to one of 13 servers. An attempted message is sent and via this the worm author could monitor which computers are now infected. The IRC server list includes:

  • irc.twiny.net
  • irc.stealth.net
  • irc.grolier.net
  • irc.club-internet.fr
  • ircnet.irc.aol.com
  • irc.emn.fr
  • irc.anet.com
  • irc.insat.com
  • irc.ncal.verio.net
  • irc.cifnet.com
  • irc.skybel.net
  • irc.eurecom.fr
  • irc.easynet.co.uk

As a backdoor, the worm can be used as a complete remote access tool. System information can be sent out, directories created/removed, files sent/deleted and executed. In short, if you can do it, the worm author can also.

The 30-minute routine accesses your Outlook address book and sends messages with the worm attached to those in your address book. The Subject is “C:\CoolProgs\Pretty Park.exe” and the EXE worm file is attached. Anyone running the attachment gets infected.

Overall, a nasty beast; best left alone!

Up Arrow Some Virus Threat Details Up Arrow
Prior Page Next Page
Nimda Stages