The 'PrettyPark' which is also known as 'Trojan.PSW.CHV' is an Internet
worm, a password stealing trojan and a backdoor at the same time.
It has been reported to be widespread in Central Europe in June
1999.
Pretty
Park is spread via intenet. It attachsitself to e-mails as 'Pretty
Park.exe'. Being
executed it installs itself to system and then sends e-mail messages
with its copy attached to addresses listed in Address Book and
also informs someone (most likely worm author) on specific IRC
servers about infected system settings and passwords. It also
can be used as a backdoor (remote access tool).
The first time the worm is executed it looks for its copy already active in memory.
The worm does this by looking for application that has "#32770"
window caption. If there is no such window, the worm registers
itself as a hidden application (not visible in the task list)
and runs its installation routine.
While
installing to system the worm copies itself to \Windows\System\
directory as FILES32.VXD file and then modifies the Registry to
be run each time any EXE file starts when Windows is active. The
worm does this by creating a new key in the HKEY_CLASSES_ROOT.
The key name is exefile\shell\open\command and it is associated
with the worm file (FILES32.VXD file that was created in the Windows
system folder). If the FILES32.VXD file is deleted and Registry
is not corrected no EXE file will ever be started in Windows further
on.
In case
of error during installing the worm activates the SSPIPES.SCR
screen saver (3D Pipes). If this file is missing, the worm tries
to activate 'Canalisation3D.SCR' screen saver.
What are Computer Viruses?
Macro virus
Using Third-party Software
Boot-sector Viruses
For help online click
here to go my communications center
Virus
and Virus hoaxs
