Win32/Pronny [Threat Name] go to Threat

Win32/Pronny.AB [Threat Variant Name]

Category	worm
Size	299008 B
Aliases	Trojan.Win32.Diple.eecq (Kaspersky)
	VBObfus.cm.trojan (McAfee)
	Worm:Win32/Vobfus (Microsoft)
	TR/Diple.eecq (Avira)

Win32/Pronny.AB is a worm that spreads via removable media. The worm tries to download and execute several files from the Internet.

When executed, the worm copies itself into the following location:

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%userprofile%\%variable%.exe /q"

The following Registry entry is set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 0

A string with variable content is used instead of %variable% .

The worm searches for files and folders in the root folders of removable drives.

The worm searches for files with the following file extensions:

The worm then deletes found files.

The worm copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.

The worm copies itself into the root folders of removable drives using the following names:

The following files are dropped in the same folder:

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (3) URLs. The HTTP protocol is used.

The worm tries to download a file from the Internet.

The file is stored in the following location:

The file is then executed.

A string with variable content is used instead of %variable% .

The worm may execute the following commands: