Infelizmente � em ingl�s:
Name: PrettyPark
Alias: CHV, Pretty Park
The 'PrettyPark' also known as 'Trojan.PSW.CHV' is an Internet worm, a
password stealing trojan and a backdoor at the same time. It was reported to
be widespread in Central Europe in June 1999.
PrettyPark spreads itself via Internet by attaching its body to e-mails as
'Pretty Park.Exe' file. Being executed it installs itself to system and then
sends e-mail messages with its copy attached to addresses listed in Address
Book and also informs someone (most likely worm author) on specific IRC
servers about infected system settings and passwords. It also can be used as
a backdoor (remote access tool).
When the worm is executed in the system for the first time, it looks for its
copy already active in memory. The worm does this by looking for application
that has "#32770" window caption. If there is no such window, the worm
registers itself as a hidden application (not visible in the task list) and
runs its installation routine.
While installing to system the worm copies itself to \Windows\System\
directory as FILES32.VXD file and then modifies the Registry to be run each
time any EXE file starts when Windows is active. The worm does this by
creating a new key in the HKEY_CLASSES_ROOT. The key name is
exefile\shell\open\command and it is associated with the worm file
(FILES32.VXD file that was created in the Windows system folder). If the
FILES32.VXD file is deleted and Registry is not corrected no EXE file will
ever be started in Windows further on.
In case of error during installing the worm activates the SSPIPES.SCR screen
saver (3D Pipes). If this file is missing, the worm tries to activate
'Canalisation3D.SCR' screen saver.
Then the worm opens Internet connection and activates 2 its routines.
Further on theseinits socket (Internet) connection and runs its routines
that are activated regularly: the first one once per 30 seconds, another one
- once per 30 minutes.
The first routine that activates once in 30 seconds tries to connect to one
of IRC chat servers (see the list below) and to send a messages to someone
if he is present on any channel of this chat server. This allows worm author
to monitor infected computers.
The list of IRC servers the worm tries to connect to:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk
The worm may be also used as a backdoor (remote access tool) by its author.
It can send out system configuration details, drives list, directories info
as well as confidential information: Internet access passwords and telephone
numbers, Remote Access Service login names and passwords, ICQ numbers, etc.
The backdoor is also able to create/remove directories, send/receive files,
delete and execute them, etc.
The second routine, which is activated once per 30 minutes, opens Address
Book file, reads e-mail addresses from there, and sends messages to these
addresses. The message Subject field contains the text:
C:\CoolProgs\Pretty Park.exe
The message has an attached copy of the worm as Pretty Park.EXE file. If
someone receives this message and runs the attached file his system becomes
infected.
[Analysis: AVP, Data Fellows and DataRescue teams]
Gilbertt Teixeira Plinta
Produ��o-Industrial-Per�xidos do Brasil Ltda.
*(5541) 316-5268 * (5541)316-5206
> * [EMAIL PROTECTED]
> * [EMAIL PROTECTED]
>
>
--------------------------- LISTA SOUJAVA ---------------------------
http://www.soujava.org.br - Sociedade de Usu�rios Java da Sucesu-SP
[d�vidas mais comuns: http://www.soujava.org.br/faq.htm]
[para sair da lista: http://www.soujava.org.br/forum/cadastrados.htm]
---------------------------------------------------------------------
