[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VIRUS WARNING!!!! VIRUS WARNING!!! Re: C:\CoolProgs\Pretty Park.exe

Aus loco discussion mailing list

do not open Pretty Park.exe!!!!!  It is a trojan virus.  The following information is
an extract from http://www.Europe.Datafellows.com/v-descs/prettyp.htm


F-Secure Virus Information Pages


                     NAME:
                           PrettyPark
                     ALIAS:
                           PSW, CHV, Pretty Park


                    The 'PrettyPark' also known as 'Trojan.PSW.CHV' is an Internet
worm, a password
                    stealing trojan and a backdoor at the same time. It was reported
to be widespread in
                    Central Europe in June 1999.

                    PrettyPark spreads itself via Internet by attaching its body to
e-mails as 'Pretty
                    Park.Exe' file. Being executed it installs itself to system and
then sends e-mail
                    messages with its copy attached to addresses listed in Address
Book and also informs
                    someone (most likely worm author) on specific IRC servers about
infected system
                    settings and passwords. It also can be used as a backdoor (remote
access tool).

                    When the worm is executed in the system for the first time, it
looks for its copy already
                    active in memory. The worm does this by looking for application
that has "#32770"
                    window caption. If there is no such window, the worm registers
itself as a hidden
                    application (not visible in the task list) and runs its
installation routine.

                    While installing to system the worm copies itself to
\Windows\System\ directory as
                    FILES32.VXD file and then modifies the Registry to be run each
time any EXE file starts
                    when Windows is active. The worm does this by creating a new key
in the
                    HKEY_CLASSES_ROOT. The key name is exefile\shell\open\command and
it is
                    associated with the worm file (FILES32.VXD file that was created
in the Windows
                    system folder). If the FILES32.VXD file is deleted and Registry is
not corrected no EXE
                    file will ever be started in Windows further on.

                    In case of error during installing the worm activates the
SSPIPES.SCR screen saver (3D
                    Pipes). If this file is missing, the worm tries to activate
'Canalisation3D.SCR' screen
                    saver.

                    Then the worm opens Internet connection and activates 2 its
routines. Further on
                    theseinits socket (Internet) connection and runs its routines that
are activated regularly:
                    the first one once per 30 seconds, another one - once per 30
minutes.

                    The first routine that activates once in 30 seconds tries to
connect to one of IRC chat
                    servers (see the list below) and to send a messages to someone if
he is present on any
                    channel of this chat server. This allows worm author to monitor
infected computers.

                    The list of IRC servers the worm tries to connect to:

                     irc.twiny.net
                     irc.stealth.net
                     irc.grolier.net
                     irc.club-internet.fr
                     ircnet.irc.aol.com
                     irc.emn.fr
                     irc.anet.com
                     irc.insat.com
                     irc.ncal.verio.net
                     irc.cifnet.com
                     irc.skybel.net
                     irc.eurecom.fr
                     irc.easynet.co.uk

                    The worm may be also used as a backdoor (remote access tool) by
its author. It can
                    send out system configuration details, drives list, directories
info as well as confidential
                    information: Internet access passwords and telephone numbers,
Remote Access
                    Service login names and passwords, ICQ numbers, etc. The backdoor
is also able to
                    create/remove directories, send/receive files, delete and execute
them, etc.

                    The second routine, which is activated once per 30 minutes, opens
Address Book file,
                    reads e-mail addresses from there, and sends messages to these
addresses. The
                    message Subject field contains the text:

                     C:\CoolProgs\Pretty Park.exe

                    The message has an attached copy of the worm as Pretty Park.EXE
file. If someone
                    receives this message and runs the attached file his system
becomes infected.

                    [Analysis: AVP, Data Fellows and DataRescue teams]

Anne Chapple wrote:

> Aus loco discussion mailing list
>
> Test: Pretty Park.exe  :)
>
>    Anne Chapple
>
> ______________________________________________________________________
> To unsubscribe, write to Ausloco-unsubscribe@listbot.com
> Start Your Own FREE Email List at http://www.listbot.com/links/joinlb
>
>   --------------------------------------------------------------------------------
>                       Name: Pretty Park.exe
>    Pretty Park.exe    Type: unspecified type (application/octet-stream)
>                   Encoding: base64




--
David Johnson
trainman@ozemail.com.au
http://www.ozemail.com.au/~trainman/


______________________________________________________________________
To unsubscribe, write to Ausloco-unsubscribe@listbot.com
______________________________________________________________________
Today might be your lucky day! Win monthly prizes from leading online retailers in sporting goods, computers, entertainment, gourmet foods and many more! It's the easy way to win on the web! Enter today at:
http://www.listbot.com/links/winfreestuff