|Type||Mass mailer worm|
|Place of Origin||Central Europe?|
Prettypark is an email worm from 1999. Its most distinctive feature is the worm's icon, which is the face of the South Park character Kyle.
Prettypark arrives in an email as the attachment "Pretty Park.exe". The subject line is "C:\CoolProgs\Pretty Park.exe".
When Prettypark is first executed on a new system, it checks for an application with "#32770" in its window caption, which signals the worm is already present on the system. If it does not find this, it loads itself as a hidden application so it will not be seen in the task list. Prettypark places the file Files32.vxd in the system folder. It modifies the exe file shell command registry key to include this file as a value, casusing the worm to run whenever an .exe file is run. The worm mails itself to addresses in the address book every 30 seconds.
In case of an error during installation, Prettypark runs a screensaver, usually SSPIPES.SCR, or if it fails to find that, it tries Canalisation3D.SCR.
It then connects to one of the following IRC servers:
Prettypark joins an IRC channel and sends information over it every 30 seconds to make sure it stays on the channel. It can receive commands over the channel to access information on the system including the Computer name, Product name, Product identifier, Product key, Registered owner,Registered organization, System root path, Version number, ICQ identification numbers, ICQ nicknames and Your email address, Dial-Up networking user name and passwords. It also opens a security hole which allows someone who knows how to access the worm can send files to and execute them on the computer.
Every 30 minutes
F-Secure claims several variants exist, all with similar functionality. Some are packed.
Prettypark became widespread in Central Europe in June 1999. There was another outbreak in March 2000.
Symantec, PrettyPark.Worm. 2007.02.13
AVP, F-Secure, DataRescue teams. F-Secure, F-Secure Virus Descriptions : PrettyPark.