The 'PrettyPark' also known as 'Trojan.PSW.CHV' is an Internet worm, a password stealing trojan and a backdoor at the same time. It was reported to be widespread in Central Europe in June 1999. There was also an outbreak of this worm in March 2000.
Several variants of Pretty Park are known. All of them have the same functionality, but some are packed.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
PrettyPark spreads itself via Internet by attaching its body to e-mails as 'Pretty Park.Exe' file. The file has the icon showing a character or the famous cartoon serial called South Park.
Being executed it installs itself to system and then sends e-mail messages with its copy attached to addresses listed in Address Book and also informs someone (most likely worm author) on specific IRC servers about infected system settings and passwords. It also can be used as a backdoor (remote access tool).
When the worm is executed in the system for the first time, it looks for its copy already active in memory. The worm does this by looking for application that has "#32770" window caption. If there is no such window, the worm registers itself as a hidden application (not visible in the task list) and runs its installation routine.
While installing to system the worm copies itself to \Windows\System\ directory as FILES32.VXD file and then modifies the Registry to be run each time any EXE file starts when Windows is active. The worm does this by modifying an EXE file startup command key in the HKEY_CLASSES_ROOT. The key name is exefile\shell\open\command and it is associated with the worm file (FILES32.VXD file that was created in the Windows system folder). If the FILES32.VXD file is deleted and Registry is not corrected, the EXE files would not start any more.
In case of error during installing the worm activates the SSPIPES.SCR screen saver (3D Pipes). If this file is missing, the worm tries to activate 'Canalisation3D.SCR' screen saver.
Then the worm opens Internet connection and activates 2 its routines. Further on theseinits socket (Internet) connection and runs its routines that are activated regularly: the first one once per 30 seconds, another one - once per 30 minutes.
The first routine that activates once in 30 seconds tries to connect to one of IRC chat servers (see the list below) and to send a messages to someone if he is present on any channel of this chat server. This allows worm author to monitor infected computers.
The list of IRC servers the worm tries to connect to:
irc.twiny.net irc.stealth.net irc.grolier.net irc.club-internet.fr ircnet.irc.aol.com irc.emn.fr irc.anet.com irc.insat.com irc.ncal.verio.net irc.cifnet.com irc.skybel.net irc.eurecom.fr irc.easynet.co.uk
The worm may be also used as a backdoor (remote access tool) by its author. It can send out system configuration details, drives list, directories info as well as confidential information: Internet access passwords and telephone numbers, Remote Access Service login names and passwords, ICQ numbers, etc. The backdoor is also able to create/remove directories, send/receive files, delete and execute them, etc.
The second routine, which is activated once per 30 minutes, opens Address Book file, reads e-mail addresses from there, and sends messages to these addresses. The message Subject field contains the text:
The message has an attached copy of the worm as Pretty Park.EXE file. If someone receives this message and runs the attached file his system becomes infected.
Upon disinfection of this worm F-Secure Anti-Virus first restores the EXE startup Registry key to its default value and then renames the worm's file. Disinfection is done automatically and doesn't need any input from a user. Please note that earlier versions of F-Secure Anti-Virus do not modify the specified Registry key themselves. So if you still have a problem with this registry key and you are unable to start EXE files in Windows please download and run the special REG file to solve the problem:
After downloading you need to run (double-click or press 'Enter' when the cursor is placed on the needed file) the PPDISINF.REG file from Windows Explorer. Note, that the .REG extension might not be shown if you don't have 'Show All Files' option on. Alternatively you need to click on 'Start' button, then on 'Run' menu and either input the location of PPDISINF.REG file manually (for example C:\PPDISINF.REG) or to find it with 'Browse' button. After the location is entered you need to click on 'Ok' button and the REG file will be run solving your Pretty Park problem. If you have problems locating or running the downloaded file please consult a more experienced computer user.
You can also use a free version of F-Prot for DOS to remove Pretty Park worm from an infected system. It is a requirement to perform disinfection from pure DOS and to run the above listed REG file before exiting Windows.
For successful disinfection all files detected as Pretty Park should be deleted from an infected system.
Technical Details: AVP, F-Secure and DataRescue teams, 1999-2001