Win32/Pronny [Threat Name] go to Threat

Win32/Pronny.LZ [Threat Variant Name]

Category worm
Size 88576 B
Detection created Jun 13, 2013
Detection database version 8576
Aliases Worm.Win32.WBNA.ipa (Kaspersky)
  Worm:Win32/Vobfus.RA (Microsoft)
  VBObfus.g.trojan (McAfee)
Short description

Win32/Pronny.LZ is a worm that spreads via shared folders and removable media. The worm can download and execute a file from the Internet.

Installation

When executed, the worm copies itself into the following location:

  • %profile%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = ""%profile%\­%variable%.exe /%random%"

A string with variable content is used instead of %random% .


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­WIndows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows\­WindowsUpdate\­AU]
    • "NoAutoUpdate" = 1
Spreading

Win32/Pronny.LZ is a worm that spreads via shared folders and removable media.


The worm copies itself into the root folders of network and/or removable drives using the following names:

  • %variable%.exe
  • Secret.exe
  • Sexy.exe
  • Porn.exe
  • Passwords.exe

A string with variable content is used instead of %variable% .


The following files are dropped in the same folder:

  • autorun.inf
  • x.mpeg

The AUTORUN.INF file contains the path to the malware executable.


This file is usually dropped into the root folder of available drives in an attempt to autorun a malware executable when the infected drive is mounted.


The worm attempts to delete the following files:

  • %removabledrive%\­*.inf
  • %removabledrive%\­*.scr
  • %removabledrive%\­*.exe
  • %removabledrive%\­*.dll
  • %removabledrive%\­*.ico

The worm searches removable and network drives for files with the following file extensions:

  • .avi
  • .bmp
  • .doc
  • .gif
  • .jpe
  • .jpg
  • .mp3
  • .mp4
  • .mpg
  • .pdf
  • .png
  • .tif
  • .txt
  • .wav
  • .wma
  • .wmv
  • .xls

When the worm finds a file matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the file found in the search. The extension of the file is ".exe" .


The worm searches local and network drives for files with one of the following extensions:

  • .rar
  • .zip

Worm inserts a copy of itself into the archive file.


The worm may create copies of itself using the following filenames:

  • %cdromdrive%\­autorun.inf
  • %cdromdrive%\­Secret.exe
  • %cdromdrive%\­Sexy.exe
  • %cdromdrive%\­Porn.exe
  • %cdromdrive%\­Passwords.exe
Other information

The worm can download and execute a file from the Internet.


The worm contains a list of URLs. The TCP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.