Prettypark
Prettypark
Type Mass-mailer worm
Creator
Date Discovered 1999.05.28
Place of Origin Central Europe
Source Language Delphi
Platform MS Windows
File Type(s) .exe
Infection Length
Reported Costs

Prettypark is an email worm from 1999. Its most distinctive feature is the worm's icon, which is the face of the South Park character Kyle. Its exact origin is unknown, but it appears to have originated in Central Europe, where it was widespread. It is also famous as the first botnet worm, a form of malware that would become very popular in the middle of the next decade.

Behavior

Prettypark arrives in an email as the attachment "Pretty Park.exe". The subject line is "C:\CoolProgs\Pretty Park.exe".

When Prettypark is first executed on a new system, it checks for an application with "#32770" in its window caption, which signals the worm is already present on the system. If it does not find this, it loads itself as a hidden application so it will not be seen in the task list. Prettypark places the file Files32.vxd in the system folder. It modifies the exe file shell command registry key to include this file as a value, casusing the worm to run whenever an .exe file is run. The worm mails itself to addresses in the address book every 30 seconds.

In case of an error during installation, Prettypark runs a screensaver, usually SSPIPES.SCR, or if it fails to find that, it tries Canalisation3D.SCR.

It then connects to one of the following IRC servers:

Prettyic.png
The Prettypark icon
  • irc.twiny.net
  • irc.stealth.net
  • irc.grolier.net
  • irc.club-internet.fr
  • ircnet.irc.aol.com
  • irc.emn.fr
  • irc.anet.com
  • irc.insat.com
  • irc.ncal.verio.net
  • irc.cifnet.com
  • irc.skybel.net
  • irc.eurecom.fr
  • irc.easynet.co.uk

Prettypark joins an IRC channel and sends information over it every 30 seconds to make sure it stays on the channel. It can receive commands over the channel to access information on the system including the Computer name, Product name, Product identifier, Product key, Registered owner,Registered organization, System root path, Version number, ICQ identification numbers, ICQ nicknames and Your email address, Dial-Up networking user name and passwords. It also opens a security hole which allows someone who knows how to access the worm can send files to and execute them on the computer.

Every 30 minutes, Prettypark reads the addressbook and sends its email with itself as an attachment to the addresses.

Variants

F-Secure claims several variants exist, all with similar functionality. Some are packed.

Effects

Prettypark became widespread in Central Europe in June of 1999. There was another outbreak in March of 2000.

Other Facts

Prettypark is most notable for being the first botnet worm, paving the way for such famous worms botnets as Storm, Zotob, and Conficker. Prettypark became a target of the nematode, All3gro about two years later.

Sources

Symantec, PrettyPark.Worm. 2007.02.13

AVP, F-Secure, DataRescue teams. F-Secure, F-Secure Virus Descriptions : PrettyPark.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License