Win32/Pronny [Threat Name] go to Threat

Win32/Pronny.AA [Threat Variant Name]

Category worm
Size 233472 B
Detection created Dec 29, 2011
Detection database version 6751
Aliases Trojan.Win32.Diple.ecbo (Kaspersky)
  VBObfus.cm.trojan (McAfee)
  Trojan:Win32/Otran (Microsoft)
  TR/Otran.A.138 (Avira)
Short description

Win32/Pronny.AA is a worm that spreads via removable media. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm copies itself into the following location:

  • %userprofile%\­%variable%.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%userprofile%\­%variable%.exe /q"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0

A string with variable content is used instead of %variable% .

Spreading on removable media

The worm searches for files and folders in the root folders of removable drives.


The worm searches for files with the following file extensions:

  • .inf
  • .exe
  • .scr
  • .dll
  • .ico

The worm then deletes found files.


The worm copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.


The worm copies itself into the root folders of removable drives using the following names:

  • %originalmalwarefilename%
  • Passwords.exe
  • Porn.exe
  • Secret.exe
  • Sexy.exe

The following files are dropped in the same folder:

  • autorun.inf
  • x.mpeg

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (3) URLs. The HTTP protocol is used.


The worm tries to download a file from the Internet.


The file is stored in the following location:

  • %userprofile%\­%variable%.exe

The file is then executed.


A string with variable content is used instead of %variable% .


The worm may execute the following commands:

  • cmd.exe /c tasklist&&del %originalmalwarefilename%

Please enable Javascript to ensure correct displaying of this content and refresh this page.