W32/Pretty.worm.unp

This page shows details and results of our analysis on the malware W32/Pretty.worm.unp

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4067 (2000-03-01)

Updated DAT

4067 (2000-03-01)

Minimum Engine

5400.1158

File Length

60,928

Description Added

2000-02-17

Description Modified

2001-03-16

Malware Proliferation

Characteristics

This is an Internet worm that installs on Windows 9x/NT systems. It arrives via email from affected users who have also run this Internet worm. It appears as an icon of a character from the animated comedy series Southpark. Emails containing this Internet worm have this format:

-------------
Subject: C:\CoolProgs\Pretty Park.exe

Test: Pretty Park.exe :)
-------------

Attached is the file Pretty park.exe and in some cases Pretty~1.exe.

This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Windows address book associated with Outlook Express.

A second function of this worm is that it will also try to connect to several IRC servers and send data packets to the connected server. While your system is connected to the Internet, it is sending and listening to random ports on both UDP and TCP ports. The range is from 1000 to 4900 (or at least so far in testing) and is a random assigned port. First it will choose a random port on UDP and/or TCP, then it will listen to that port, next it will respond with a packet to that port then close it. This happens approximately once every 30 seconds or so. The time intervals are not specific and appear to be random as well. In testing, the following IRC servers are connected to just for a few seconds and are also chosen at random:

banana.irc.easynet.net:6667
irc.ncal.verio.net:6667
irc.stealth.net:6667
irc.twiny.net:6667
irc1.emn.fr:6667
krameria.skybel.net:6667
mist.cifnet.com:6667
zafira.eurecom.fr:6667

While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.

Symptoms

Emails containing this Internet worm have this format:

-------------
Subject: C:\CoolProgs\Pretty Park.exe

Test: Pretty Park.exe :)

-------------

This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value command located in the location:

HKLM\Software\CLASSES\exefile\shell\open

from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD to run during the execution of any exe file.

See this related description of W32/Pretty.worm.

Method of Infection

Direct execution of the file "Pretty Park.exe" will install to the local system as mentioned above.

Removal

The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.

One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.

To repair the registry via a registry script file, download this UNDO.REG file, and open it.

--- Manual Removal Instructions ---

1) Identify and note the files associated with this trojan as detected by the scanner.

2) Click START|RUN, type

COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER

3) Click START|RUN, type REGEDIT.COM and hit ENTER

4) Remove references to the trojan from these keys of the registry

HKCR\exefile\shell\open\command\

HKLM\Software\CLASSES\exefile\
shell\open\command

They should contain only the value not including brackets
[''%1'' %*].

5) If applicable, remove any keys that run the main trojan under

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\
Installed Components\KeyName\

6) If applicable, delete the registry key if it exists

HKEY_CLASSES_ROOT\.dl

and exit Regedit

7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.

8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.

9) Restart the system.

10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again.

Variants