________________________________________________________________ PrettyPark.exe: A gigatic Study By Ankit Fadia ankit@bol.net.in ________________________________________________________________ The W32/Pretty.Worm worm is yet another one of those which spreads by email.This worm infects only Windows 9x and NT users.It is believed to have been originated in France almost a year ago. This worm arrives by email.So if you get an email which is something like the below then you can pretty much assume that you were sent the Pretty Park worm.Infected email would contain the following subject: Subject: C:\CoolProgs\Pretty Park.exe Test: Pretty Park.exe :) A file named: 'prettypark.exe' would be attached to the infected email.This attached virus will have an icon which is supposedly a character 'Kyle' from the animated series 'SouthPark'.(See the Icon at: http://www.crosswinds.net/~hackingtruths/icon.gif).Sometimes the attached virus would have the name: Pretty~1.exe'. As soon as you execute this prettypark.exe attachment, the dreaded virus will start it's process of infecting your system.This file when executed copies itself to the file FILES32.VXD in c:\windows\system directory. To ensure that the file FILES32.VXD (which is the Virus itself)is executed whenever any .EXE file is runned, it modifies the following Registry Key: HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open In this key, it changes the key value of 'command' from "%1" %* to FILES32.VXD "%1" %*.As a result after this Registry editing, all .EXE which are executed, will in turn be infected by this virus. Once infected this worm will automatically try to email itself every 30 minutes to all the email addresses in Outlook Express's Address Book.Thus spreading itself to all quarters of the Internet.This feature or behaviour is quite common amongst other email borne viruses.This is how they spread themselves and keep alive. The other more interesting and rarer behaviour or feature of this Virus is that it tries to connect to an IRC server.Once connected it joins a particular(specific)channel.It then tries to remain connected to this channel by sending information to the server every 30 minutes and also retrieves commands from the IRC channel. Via this predefined specific IRC channel, the auther of the virus can use this worm as a utility of remote access and gather various kinds of information like the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords, ICQ identification numbers, ICQ nicknames, victim's email address.As it acts as a remote access software, it can also be used via the IRC channel to tranfer files to and from the client, which is the victim. Removal Instructions PrettyPark like some other intelligent viruses, does not allow users to remove references to the itself from the registry.One trick which Anti Viral organizations have discovered is that if the Registry Editor is renamed from regedit.exe to regedit.com (On win9x systems) and from regedit32.exe to regedit32.com (On NT systems)then we can still view the entire Windows Registry and the Worm or Virus cannot restrict us from editing the various keys. Run the Windows registry Editor i.e. Regedit.exe in Win9x and regedit32.exe on NT. Make sure that you reboot in MSDOS from the start up disk and then launch the Registry Editor. Now remove references to the worm from the following Registry Keys: HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command To remove the references to the Trojan change the value of the above key from FILES32.VXD "%1" %* to "%1" %* (Note the space in between the new value.) All software or services which have been referred to in the following Registry keys, start automatically with Windows.So make sure that the following keys have no regerence to the Virus: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Also delete any references to the Virus from the following: 1. open WIN.INI in Notepad and in the 'run= line' under the [windows] section look for any reference to the trojan. 2. Now, open SYSTEM.INI and in the 'shell= line' under the [boot] section, remove all references except the reference to Exporer.exe Then look for the following Registry key: HKEY_CLASSES_ROOT\.dl This key is not found on all systems.If you find it Delete it. Now reboot and delete the Trojan .exe file itself.If you had followed the above procedure correctly without any errors, then the worm will be deleted otherwise you will get an error message.Also delete the c:\windows\system\Files32.vxd file. This Trojan has many aliases like I-Worm.PrettyPark, Pretty Worm, PrettyPark And the most recent and the most common one: W32/Pretty.worm.unp The W32/Pretty.worm.unp is almost similar to this worm and can be removed by following the same steps.With this alias what was discovered that this trojan connects to a random IRC from banana.irc.easynet.net:6667 irc.ncal.verio.net:6667 irc.stealth.net:6667 irc.twiny.net:6667 irc1.emn.fr:6667 krameria.skybel.net:6667 mist.cifnet.com:6667 zafira.eurecom.fr:6667 The trojan also listens a random TCP or UDP port for some data. Ankit Fadia ankit@bol.net.in Ankit Fadia ankit@bol.net.in To receive more tutorials on Hacking,Cracking(Assembly), Perl, C++ and Viruses/Trojans join my mailing list by sending an email to: programmingforhackers-subscribe@egroups.com Read the Archive of Tutorials at: http://hackingtruths.tripod.com