发信人: emil()
整理人: emil(1999-06-16 09:39:18), 站内信件
|
Trojan.PSW.CHV (a.k.a. Win32.PrettyPark)
Detection and removal for this backdoor/password stealer was added on
June 1st, 1999 update for AntiViral Toolkit Pro.
This is a worm virus spreading via the Internet. It appears as a
PrettyPark utility attached to email. Being executed it installs
itself into the system, then sends infected messages (with its
attached copy) to addresses listed in Windows Address Book, informs a
user on some IRC channel about system settings and passwords, and
also may be used as a Backdoor.
The worm itself is the Windows PE executable file about 37Kb of
length. This file is compressed by WWPack32 utility. Being unpacked
it appears to be a 58Kb EXE file written in Delphi, the "pure" code
in the file occupies just about 45Kb. Despite on this short enough
size for Delphi application, the worm has many features that make it
a very dangerous and fast spreading program.
When the worm is executed in the system for the first time, it looks
for its copy already installed in the system memory. The worm does
that by looking for application that has "#32770" window caption. If
there is no such window, the virus registers itself as a hidden
application (not visible in the task list) and runs its installation
routine.
While installing into the system the worm copies its file to the
Windows system directory with the FILES32.VXD filename and registers
it in the system registry to be run each time any another application
starts. The virus does that by creating a new key in the
HKEY_CLASSES_ROOT, the key name is exefile\shell\open\command and it
is associated with the worm copy with the FILES32.VXD file that was
created in the Windows system folder. This file has .VXD extension,
but it is not a VxD Win95/98 driver but "true" Windows executable.
In case of error while installing the worm activates the SSPIPES.SCR
screen saver (to hide its activity?). If there is no such file found,
the worm tries to activate the Canalisation3D.SCR screen saver.
The worm then inits socket (Internet) connection and runs its
routines that are activated: the first one once per 30 seconds,
another one - once per 30 minutes.
The first of these routines each time when it is activated tries to
connect some IRC chat (see the list below), and by special requests
send a messages to a user on these channels. In this way worm author
seems to catch affected stations to monitor them. The list of IRC
servers the worm tries to connect looks as followed:
irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk
Being recognized by the host (virus author) the worm may be
manipulated as a Backdoor trojan horse. By set of commands it sends
to the remote host system configuration, disk list, directories info,
as well as confidential information: Internet access passwords and
telephone numbers, Remote Access Service login names and passwords,
ICQ numbers, e.t.c. The backdoor also is able to create/remove
directories, send/receive files, delete and execute them, e.t.c.
The second routine, which is activated once per 30 seconds, opens the
Windows Address Book file, reads Internet addresses from there, and
sends a message to them. The message Subject field contains the text:
C:\CoolProgs\Pretty Park.exe
-- 欢迎光临“病毒观察” http://bd.yeah.net “聊毒斋” http://ldz.126.com http://liaoduzhai.163.net Email: [email protected]
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.192.154.2]
|
|