Worm:Win32/PrettyPark.B@mm is a worm that spreads via e-mail attachments. It allows backdoor access and control of an infected computer.
Worm:Win32/PrettyPark.B@mm copies itself as the following file:
- <system folder>\files32.vxd
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It modifies the system registry so that its copy is run every time a file of type EXE is run:
Modifies value: "(default)"
From data: ""%1" %*"
To data: "files32.vxd "%1" %*"
In subkey: HKLM\SOFTWARE\Classes\exefile\shell\open\command
When run, Worm:Win32/PrettyPark.B@mm creates a hidden window named "#32770". It also runs the following files:
- <system folder>\files32.vxd - the worm copy
sspipes.exe - 3D Pipes screensaver; available in certain versions of Windows; if this file is not available it attempts to run the following screensaver:
Worm:Win32/PrettyPark.B@mm sends e-mail messages to contacts in the user's Windows Address Book. Messages are sent approximately every 30 minutes after the worm runs. The e-mail it sends out has the following format:
To: <contact from Windows Address Book>
Subject: c:\coolprogs\pretty park.exe
Attachment: "pretty park.exe"
The file icon of the file "pretty park.exe" resembles the fictitious South Park character Kyle Broflovski:
When attached, the file name may appear in Windows 8.3 convention as "pretty~1.exe".
Allows backdoor access and control
Worm:Win32/PrettyPark.B@mm connects to one of several predefined IRC servers using random UDP and TCP ports to accept commands from a remote attacker. The commands it may perform include:
- Retrieving computer logon credentials
- Retrieving chat client logon details
- Uploading, downloading, running, and deleting arbitrary files
If the worm copy "<system folder>\files32.vxd" is removed, an error may result whenever an EXE file is run, due to the registry changes done by the worm. Additional recovery steps may be necessary.
Analysis by Patrick Nolan