Fandom

Malware Wiki

Prettypark

1,327pages on
this wiki
Add New Page
Comments0 Share
Prettypark
Type Mass mailer worm
Creator
Date Discovered 1999.05.28
Place of Origin Central Europe?
Source Language
Platform MS Windows
File type(s) .exe
Infection Length
Reported costs

Prettypark is an email worm from 1999. Its most distinctive feature is the worm's icon, which is the face of the South Park character Kyle.

BehaviorEdit

File:Prettyic.png

Prettypark arrives in an email as the attachment "Pretty Park.exe". The subject line is "C:\CoolProgs\Pretty Park.exe".

When Prettypark is first executed on a new system, it checks for an application with "#32770" in its window caption, which signals the worm is already present on the system. If it does not find this, it loads itself as a hidden application so it will not be seen in the task list. Prettypark places the file Files32.vxd in the system folder. It modifies the exe file shell command registry key to include this file as a value, casusing the worm to run whenever an .exe file is run. The worm mails itself to addresses in the address book every 30 seconds.

In case of an error during installation, Prettypark runs a screensaver, usually SSPIPES.SCR, or if it fails to find that, it tries Canalisation3D.SCR.

It then connects to one of the following IRC servers:

  • irc.twiny.net
  • irc.stealth.net
  • irc.grolier.net
  • irc.club-internet.fr
  • ircnet.irc.aol.com
  • irc.emn.fr
  • irc.anet.com
  • irc.insat.com
  • irc.ncal.verio.net
  • irc.cifnet.com
  • irc.skybel.net
  • irc.eurecom.fr
  • irc.easynet.co.uk

Prettypark joins an IRC channel and sends information over it every 30 seconds to make sure it stays on the channel. It can receive commands over the channel to access information on the system including the Computer name, Product name, Product identifier, Product key, Registered owner,Registered organization, System root path, Version number, ICQ identification numbers, ICQ nicknames and Your email address, Dial-Up networking user name and passwords. It also opens a security hole which allows someone who knows how to access the worm can send files to and execute them on the computer.

Every 30 minutes

VariantsEdit

F-Secure claims several variants exist, all with similar functionality. Some are packed.

EffectsEdit

Prettypark became widespread in Central Europe in June 1999. There was another outbreak in March 2000.

SourcesEdit

Symantec, PrettyPark.Worm. 2007.02.13

AVP, F-Secure, DataRescue teams. F-Secure, F-Secure Virus Descriptions : PrettyPark.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.