Analysis by: Mark Joseph Manahan

ALIASES:

Mal/VB-ALW (Sophos) ,Win32/Pronny.LZ worm (Eset)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

Tamaño del archivo 143,360 bytes
Tipo de archivo EXE
Residente en memoria No
Fecha de recepción de las muestras iniciales 08 Jun 2014

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

  • {removable drive letter}:\movies.lnk
  • {removable drive letter}:\music.lnk
  • {removable drive letter}:\favourites.lnk
  • {removable drive letter}:\passwords.lnk
  • {removable drive letter}:\pictures.lnk
  • {removable drive letter}:\private.lnk
  • {removable drive letter}:\search.lnk
  • {removable drive letter}:\secret folder.lnk

It drops the following copies of itself into the affected system:

  • %User Profile%\{random foldername}\{random file name}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name} = "%User Profile%\{random foldername}\{random file name}.exe /{random char}"

Other System Modifications

This worm modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {drive letter}:\i love you.exe
  • {drive letter}:\naked.exe
  • {drive letter}:\password.exe
  • {drive letter}:\sexy.exe
  • {drive letter}:\webcam.exe
  • {drive letter}:\{random filename}.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.114.0
  • {BLOCKED}.{BLOCKED}.117.0
  • {BLOCKED}.{BLOCKED}.66.0
  • {BLOCKED}.{BLOCKED}.190.0
  • {BLOCKED}.{BLOCKED}.0.0
  • {BLOCKED}.{BLOCKED}.113.0
  • {BLOCKED}.{BLOCKED}.0.0
  • {BLOCKED}.{BLOCKED}.0.0
  • {BLOCKED}.{BLOCKED}.0.0
  • {BLOCKED}.{BLOCKED}.138.0
  • {BLOCKED}.{BLOCKED}.20.0
  • {BLOCKED}.{BLOCKED}.216.0
  • {BLOCKED}.{BLOCKED}.72.121
  • {BLOCKED}.{BLOCKED}.237.0
  • {BLOCKED}.{BLOCKED}.55.0
  • {BLOCKED}.{BLOCKED}.222.0
  • {BLOCKED}.{BLOCKED}.169.0
  • {BLOCKED}.{BLOCKED}.117.0
  • {BLOCKED}.{BLOCKED}.116.0
  • {BLOCKED}.{BLOCKED}.0.0
  • {BLOCKED}.{BLOCKED}.71.0
  • {BLOCKED}.{BLOCKED}.149.0
  • {BLOCKED}.{BLOCKED}.221.0
  • {BLOCKED}.{BLOCKED}.103.0
  • {BLOCKED}.{BLOCKED}.32.21
  • {BLOCKED}.{BLOCKED}.34.21
  • {BLOCKED}.{BLOCKED}.36.21
  • {BLOCKED}.{BLOCKED}.38.21
  • {BLOCKED}.{BLOCKED}.68.0
  • {BLOCKED}.{BLOCKED}.98.0
  • {BLOCKED}.{BLOCKED}.168.0
  • {BLOCKED}.{BLOCKED}.136.0
  • {BLOCKED}.{BLOCKED}.210.0
  • {BLOCKED}.{BLOCKED}.58.0
  • {BLOCKED}.{BLOCKED}.62.0
  • {BLOCKED}.{BLOCKED}.66.0
  • {BLOCKED}.{BLOCKED}.67.0
  • {BLOCKED}.{BLOCKED}.93.201
  • {BLOCKED}.{BLOCKED}.125.0
  • {BLOCKED}.{BLOCKED}.100.0
  • {BLOCKED}.{BLOCKED}.73.0
  • {BLOCKED}.{BLOCKED}.0.0
  • {BLOCKED}.{BLOCKED}.0.0
  • {BLOCKED}.{BLOCKED}.112.0
  • {BLOCKED}.{BLOCKED}.67.100
  • {BLOCKED}.{BLOCKED}.34.46
  • {BLOCKED}.{BLOCKED}.245.0
  • {BLOCKED}.{BLOCKED}.120.0
  • {BLOCKED}.{BLOCKED}.41.0
  • {BLOCKED}.{BLOCKED}.43.0
  • {BLOCKED}.{BLOCKED}.44.0
  • {BLOCKED}.{BLOCKED}.183.0
  • {BLOCKED}.{BLOCKED}.169.0
  • {BLOCKED}.{BLOCKED}.174.0
  • {BLOCKED}.{BLOCKED}.197.0
  • {BLOCKED].{BLOCKED}.58.0
  • {BLOCKED].{BLOCKED}.72.0
  • {BLOCKED}.{BLOCKED}.143.0
  • {BLOCKED}.{BLOCKED}.166.0
  • {BLOCKED}.{BLOCKED}.167.0
  • {BLOCKED}.{BLOCKED}.230.0
  • {BLOCKED}.{BLOCKED}.13.0
  • {BLOCKED}.{BLOCKED}.236.0
  • {BLOCKED}.{BLOCKED}.139.0
  • {BLOCKED}.{BLOCKED}.196.0
  • {BLOCKED}.{BLOCKED}.85.0