Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Win32/PrettyPark.A worm is a file with the internal format of a PE executable under the operating system Windows.  The size of the file is about 37 kilobytes but it is the result of a run-time compression by means of the Polish utility WWPack32. the size of the file after unpacking is 58 kilobytes.  It is obviously written in a higher programming language.  After being run the worm checks whether it has already been installed in the system.  If it does not find its presence it registers itself as a hidden application and gets installed.  To install itself into the system the worm copies a file with the name FILES32.VXD into the Windows system directory and registers it by creating a key exefile/shell/open/command in HKEY_CLASSES_ROOT in the system registry so that the worm is activated whenever any application is started.  After its activation the worm opens a connection to the internet and starts performing two hidden activities.  The first activity is an attempt to get connected to Internet Relay Chat (IRC) where it sends messages upon request.  To connect to IRC the worm uses the following servers:,,,,,,,,,,, and  If the worm is installed in a victim system,  information on configuration, telephone numbers, passwords for access to Internet, ICQ numbers and so on can be obtained with its help.  Remote control can be used even for creating and deleting files and directories, but also for sending and receiving files.  The second activity of the worm is an attempt to send its copy in an email message attachment to an address from the list of the mail program addresses once every 30 minutes.  The message is empty, it contains only the attachment and its subject is: C:\CoolProgs\Pretty Park.exe

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.