-
Pretty Park is a privacy invading worm. Every 30 seconds, it tries to e-mail itself to the e-mail addresses in your Microsoft Outlook address book.
-
It has also been reported to connect your machine to a custom IRC channel for the purpose of retrieving passwords from your system.
-
Pretty park arrives as an email attachment. Double clicking the PrettyPark.exe or Files32.exe program infects your computer.
-
You may see the Pipes screen after running the executable.
 |
| Threat | Pretty Park comes in the form of an email attachment with the name prettypark.exe, files32.exe, or prettyorg.exe. Windows users are susceptible to the worm. Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in the address book. |
It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel. Through the IRC connection, the author of the worm can obtain system information, including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victim's email address, and Dial up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.
It creates a file called files32.vxd in the C: \Windows\System directory and modifies the following registry key located at
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
From "%1" %* to files32.vxd "%1" %*
A variant of the Pretty Park Worm also creates a similar change to the following registry key.
HKEY_CLASSES_ROOT\exefile\shell\open\command
Some may see the Microsoft Pipes screen saver after running the executable.
Posts
0 comments:
Post a Comment