Aliases: Trojan.PSW.CHV, PrettyWorm, CHV, Pretty Park
Type: Worm, remote access and password stealing trojan
PrettyPark is a worm which is believed to have originated in France. It infects Windows 9x and NT systems. PrettyPark is distributed as an email attachment (PrettyPark.exe). When users open the attachment, the worm first checks for a copy of itself in memory. If not present, the worm copies itself to FILES32.VXD in the Windows System directory and modifies the registry HKEY_CLASSES_ROOT\exefile\shell\open\command to activate the file. The activities will be hidden, thus FILES32.VXD will not appear in Task Manager. This file is then used to run any executable file and if deleted, will prevent any executables from running unless the registry is modified as well.
PrettyPark will attempt connection every 30 seconds to one of several IRC channels, where it will then attempt to send a message to the supposed worm author. The worm also acts as a backdoor, providing remote access to the author. In additon to system details and file information, PrettyPark can be used to obtain Internet passwords and other pertinent login information. Files can be manipulated remotely, including deleting and executing.
Every 30 minutes, PrettyPark attempts to send messages to addresses in the infected system's address book. The subject of the message reads:
C:\CoolProgs\PrettyPark.exeand the message includes an attached copy of the worm.