Win32/Pronny [Threat Name] go to Threat

Win32/Pronny.AQ [Threat Variant Name]

Category worm
Size 307200 B
Detection created May 11, 2012
Detection database version 7128
Aliases Trojan.Win32.Jorik.Vobfus.cvtk (Kaspersky)
  VBObfus.dv.trojan (McAfee)
  Worm:Win32/Vobfus.FB (Microsoft)
  W32.Changeup (Symantec)
Short description

Win32/Pronny.AQ is a worm that spreads via removable media. The worm tries to download and execute several files from the Internet.


When executed, the worm copies itself into the following location:

  • %userprofile%\­%variable%.exe

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%userprofile%\­%variable%.exe /h"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Policies\­Microsoft\­Windows\­WindowsUpdate\­AU]
    • "NoAutoUpdate" = 1
Spreading on removable media

The worm searches for files and folders in the root folders of removable drives.

The worm searches removable drives for files with the following file extensions:

  • .avi
  • .bmp
  • .doc
  • .gif
  • .jpe
  • .jpg
  • .mp3
  • .mp4
  • .mpg
  • .pdf
  • .png
  • .tif
  • .txt
  • .wav
  • .wma
  • .wmv
  • .xls

When the worm finds a file matching the search criteria, it creates a new copy of itself. The extension of the file is ".exe" .

The worm copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.

The worm copies itself into the root folders of removable drives using the following names:

  • %variable%.exe
  • Passwords.exe
  • Porn.exe
  • Secret.exe
  • Sexy.exe

The worm creates the following files:

  • %removabledrive%\­x.mpeg
  • %removabledrive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (5) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • delete files
  • delete Registry entries

The worm terminates processes with any of the following strings in the name:

  • proc
  • task

The worm may execute the following commands:

  • cmd.exe /c tasklist&&del %originalmalwarefilepath%

Please enable Javascript to ensure correct displaying of this content and refresh this page.