The PrettyPark Worm/Trojan

Tuesday, 8 June 1999

What Does It Do?

How To Find And Remove PrettyPark

There's a new trojan afoot, which reportedly spreads in a manner similar to the well-known Melissa virus. It emails itself (auto-spams) using addresses found on the victim's machine. Reports indicate it is spreading at a rapid rate.

Like the well-known Happy99 worm, the email recipient must run the profferred executable file to install the unwanted program. Cautious persons who don't run unknown executables are not at risk, but such people don't seem to be in the majority.

Unlike Happy99, this worm reveals the victim's passwords on a number of IRC channels and some reports indicate it is also a trojan, allowing backdoor access to the victim's system.

PrettyPark affects Windows 95, 98 and NT machines.


What Does It Do?

I have not run this trojan myself, but a Canadian victim has sent me a copy and reported on some of its behavior. I've sought out further information and present it here.

From a Trend Micro report:

"On execution, the trojan copies itself to FILES32.VXD into the windows system directory, such as C:\Windows\System, and then creates a new key as exefile\shell\open\command in HKEY_CLASSES_ROOT. In fact, FILES32.VXD is not a VxD driver of Win95/98, but just a Windows executable."

From a Norton A.V.E.R.T report:

"It has been reported that the program sends email to everyone in the users address book. When it does it has also been reported that the file is sent as well. This behavior has not been duplicated by AVERT."

From MSNBC June 7, PrettyPark hits Windows users hard :

"The virus is spread when PC users open an attached e-mail program file named “PrettyPark.EXE”. When executed, it may display the Windows 3D pipe screen saver while it creates and sends duplicate files of itself to e-mail addresses listed in the user’s Internet address book. PrettyPark will run this routine every 30 seconds, without the user’s knowledge."

The "30 seconds" statement with respect to email appears to be in error and should be 30 minutes. It's the IRC connections, not emails, which are attempted at 30-second intervals. I found in a Symantec report this statement:

"Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. It will also try to connect to an IRC server every 30 seconds and connect to a specific IRC channel. This connection can potentially be used maliciously."

Precisely how that IRC connection is used maliciously I don't yet know. But this statement, attributed to Trend Micro, appears in an NTBUGTRAQ posting by the list's moderator:

"The worm will send information such as Internet access passwords and telephone numbers found on the system, remote access service login names (RAS) and passwords, ICQ numbers, remote host system configuration, directory information. The backdoor also is able to create/remove directories, send/receive files, delete and execute files."

The copy I was sent looks like this in an Explorer window:

Because of its .VXD extension, Windows gives it the default icon normally used for VXDs. But when renamed with an .exe extension, it looks like this:

When run, PrettyPark alters the Registry entry under HKEY_CLASSES_ROOT\exefile\shell\open\command from its normal state which should read (quotes included):

"%1" %*

to this:

FILES32.VXD "%1" %*

As a result, the trojan is run virtually every time any executable is run on the infected machine.

I've examined the executable's internal contents briefly but found it compressed/encrypted by WWPack32. Time is short for me at present, so although I believe I can tease out its contents I've deferred the task of decryption to another time. The webpages I've referenced above provide ample information for those who need more details.

Reports I've seen so far indicate no new variants but it's a safe bet they will appear and especially that the executable will be passed on under other names.

This is just one more stark reminder that one should never run a program received by email unless absolutely certain of its original source and actual contents. It's not enough to know merely that the file was sent by a trusted friend. For examples, the well-known Happy99 worm, the Melissa worm/virus, and now PrettyPark, are actually most likely to come from someone known to the recipient. All find their email addresses on the affected machine and send themselves out without the victim's knowledge.

PrettyPark is quite ingenious and rather unique. But no doubt many more of its diabolical ilk are in store for our future.


How To Find And Remove PrettyPark

Since there's only one variant at the moment, and it invariably creates the file named FILES32.VXD, the simplest and quickest way to check for PrettyPark is to use Windows' Find File function and look for that file. FILES32.VXD is not a standard Win32 file and should only be present if PrettyPark has been run. Copying the file to a .exe name as I've done above and viewing its icon will confirm its identity.

FILES32.VXD cannot be deleted until it is no longer in use by the system. You'll find Windows won't alow its removal. In a Win9x machine it can be deleted using the DOS "del" command after rebooting to a command prompt (it won't work in a DOS window). However I'm not sure how Windows will behave if you do this, so I strongly recommend removing its Registry entry as a first step.

Using the Start... Run command, run Regedit.exe. Locate the key HKEY_CLASSES_ROOT\exefile\shell\open\command (see my Back Orifice pages for more on how this is done), and restore it to normal by simply removing the text "FILES32.VXD " (note the space -- that has to be removed too) and leaving the rest of the entry in place.

I make no guarantees, but it should accomplish the same thing if you download and run (double-click) this registry file.

Now reboot the machine, and FILES32.VXD can be deleted or renamed without difficulty.

If you've done all this, you're now free of the PrettyPark trojan. BUT IT'S NOT OVER. Your system has been compromised. You must assume that your passwords are known to a few hundred of the world's more malicious crackers, and that other sensitive info from your machine may also be in hostile hands.

You should stay offline as much as possible for the present, and scan your system immediately with a fully up-to-date virus scanner such as McAfee or AVP.

You should look around for other mischief or changes such as missing or added files or directories (folders).

It's common practice for intruders to install additional backdoors once they've gained access. Most but not all of the commonly-available backdoors are spotted by most of the better virus scanners. This helps but there is no single perfect countermeasure.

Therefore I recommend you read my page titled Almost All The Ways to Find Your Back Orifice. Though written with BO in mind specifically, this page describes a number of basic tools anyone can use to spot any and all remote-access type trojans via their network activity and their presence as active, even hidden, processes. I know of no such trojan in existence which would not be revealed by intelligent use of these tools.

Once you're reasonably sure your system is no longer open to prying eyes, you should change any and all potentially compromised passwords with your ISP, on your local network, and elsewhere.

You should also consider what other sensitive information may have got out, such as credit card numbers for example, and act accordingly.

If you're on a potentially sensitive network or if you have demanding requirements for security, it may even be advisable to completely reinstall your system software to ensure security is restored.