Analysis by: Jaime Benigno Reyes
ALIASES:

Worm.Win32.Vobfus.eugf (Kaspersky); Win32/Pronny.LZ worm (Nod32)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via flashdrives, Downloaded from the Internet, Dropped by other malware

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.

It terminates itself if it detects it is being run in a virtual environment.

  TECHNICAL DETAILS

File Size: 172,032 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 12 Dec 2014
Payload: Connects to URLs/IPs, Drops files

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following non-malicious files:

  • {removable drive letter}:\x.mpeg

It drops the following copies of itself into the affected system:

  • %User Profile%\{random folder name}\{random file name}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • %User Profile%\{random folder name}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name} = {random file name} = "%User Profile%\{random folder name}\{random file name}.exe /{random character}"

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

  • {random file name}.lnk

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UACDisableNotify = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

Propagation

This worm drops the following copies of itself in all physical and removable drives:

  • {removable drive letter}:\Love You.exe
  • {removable drive letter}:\Money.exe
  • {removable drive letter}:\Nude.exe
  • {removable drive letter}:\Sex.exe
  • {removable drive letter}:\{random file name}.exe

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open={random file name}.exe
icon={random file name}.exe,0

or

{garbage characters}
[autorun]
{garbage characters}
open={random}.eXE
{garbage characters}
ACTION={random number}
UseautopLAY=1
{garbage characters}

Download Routine

This worm accesses the following websites to download files:

  • {BLOCKED}1.{BLOCKED}k{random number}.com
  • {BLOCKED}1.{BLOCKED}k{random number}.edu
  • {BLOCKED}1.{BLOCKED}k{random number}.net
  • {BLOCKED}1.{BLOCKED}k{random number}.org

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

As of this writing, the said sites are inaccessible.

Other Details

This worm terminates itself if it detects it is being run in a virtual environment.

It terminates itself if any of the following file(s) are present:

  • sbiedll.dll (Sandboxie component)
  • snxhk.dll (AVAST component)

NOTES:

It queries the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum registry key for the following registry data strings to check if it is running in a virtual environment:

  • *VIRTUAL*
  • *VMWARE*
  • *VBOX*
  • *QEMU*

It will not continue its malicious routines when it found the following processes and module running in the system:

  • VBoxService.exe
  • vmtoolsd.exe
  • SbieDll.dll

It drops the following shortcut files in removable drives:

  • {removable drive letter}:\Favourites.lnk
  • {removable drive letter}:\Movies.lnk
  • {removable drive letter}:\Music.lnk
  • {removable drive letter}:\Passwords.lnk
  • {removable drive letter}:\Pictures.lnk
  • {removable drive letter}:\Private.lnk
  • {removable drive letter}:\Search.lnk
  • {removable drive letter}:\Secret Folder.lnk

The shortcut files point to its dropped copy {removable drive letter}:\{random file name}.exe.

It also uses the names of existing folders and names of files with the following extensions for its dropped copies:

  • .avi
  • .bmp
  • .doc
  • .gif
  • .jpe
  • .jpg
  • .mp3
  • .mp4
  • .mpg
  • .pdf
  • .png
  • .tif
  • .txt
  • .wav
  • .wma
  • .wmv
  • .xls

This routine enables the copy of the worm to execute first before opening the real folder or file. It then changes the attributes of the original folders and files to Hidden and System to avoid early detection.

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 11.340.02
FIRST VSAPI PATTERN DATE: 12 Dec 2014
VSAPI OPR PATTERN File: 11.341.00
VSAPI OPR PATTERN Date: 13 Dec 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Scan your computer with your Trend Micro product and note files detected as WORM_PRONNY.IUY

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {random file name} = "%User Profile%\{random folder name}\{random file name}.exe /{random character}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • UACDisableNotify = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableLUA = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    • NoAutoUpdate = "1"

Step 6

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • From: ShowSuperHidden = "0"
      To: ShowSuperHidden = "1"

Step 7

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %User Profile%\{random folder name}

Step 8

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Startup%\{random file name}.lnk
  • {removable drive letter}:\Favourites.lnk
  • {removable drive letter}:\Movies.lnk
  • {removable drive letter}:\Music.lnk
  • {removable drive letter}:\Passwords.lnk
  • {removable drive letter}:\Pictures.lnk
  • {removable drive letter}:\Private.lnk
  • {removable drive letter}:\Search.lnk
  • {removable drive letter}:\Secret Folder.lnk
  • {removable drive letter}:\x.mpeg

Step 9

Search and delete AUTORUN.INF files created by WORM_PRONNY.IUY that contain these strings

[ Learn More ]
  • [autorun]
  • open={random file name}.exe
  • icon={random file name}.exe,0
  • or
  • {garbage characters}
  • [autorun]
  • {garbage characters}
  • open={random}.eXE
  • {garbage characters}
  • ACTION={random number}
  • UseautopLAY=1
  • {garbage characters}

Step 10

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_PRONNY.IUY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.