Malware activity exploiting Autorun on Windows computers has been generating quite a few calls to ESET support lines lately, reminding us that old infection techniques seldom die and USB flash drives can still be an effective means of getting malicious code onto a computer. USB drives can be used to infect computers that automatically execute files on removable media when that media is inserted. On Windows machines this is known as the Autorun feature (referred to as Autoplay in Windows 7), and it was originally designed to simplify access to CD content.
At ESET we flag malicious autorun.inf files as INF/Autorun and this category of threat currently holds the number two spot in our Top World Threats, as displayed on our Threat Radar page. One particular USB-enabled worm–detected by ESET as Win32/Pronny.xx–has been quite active of late and it employs autorun.inf files detected as INF/Autorun.AC. According to our support experts this malware is showing up on company networks, notably on machines where antivirus is not up-to-date or properly configured. In this post I have shared the instructions that our support folks have put together for the removal of Win32/Pronny from one computer or from a network.
As mentioned, the Win32/Pronny.xx worm can spread via removable media, such as USB flash drives. When it infects a system it tries to download and execute several files from the Internet (none of them good).
Apart from being malicious, INF/Autorun.AC can also be very confusing to users of infected machines. That's because the malware will not only attempt to utilize Autorun features to execute malicious code, but it may also hide all files and folders in a network share, while at the same time replacing them with executables with the same name and icon as the files/folders which were hidden.
You can see how this might create confusion, not to mention more malicious activity. For example, if you have a Folder named “Accounting” it will be hidden and an infected/infecting executable with the same name will be made. This helps the infection load even if the Autorun feature does not: an unsuspecting user may well double-click this executable thinking it is their folder. This malware may also bait users by making executables with the following tempting names:
Adding to the confusion: If you are infected with Win32/Pronny and your antivirus is removing it, at first glance you may think that all your Files and Folders from your network shares are missing due to the changes the worm made to the file attributes. To verify that these files are still there you will need to enable viewing of not only “Hidden Files and Folders” but also “Protected Operating System Files” as well.
(Note that if you are using ESET it will call the autorun.inf files for this worm “INF/Autorun.AC” and the executables made by the malware will be called “Win32/Pronny.xx”. If you are not using ESET, the infections may be called something else.)
If you encounter this infection, the steps below will help in isolating the infection and cleaning your network (for a more detailed set of instructions check out this ESET Knowledgebase article).
Hopefully you won't have to deal with Win32/Pronny, but if you do, I hope you find these instructions helpful Of course, regardless of whether or not you have been infected by Win32/Pronny, there is one process you will want to explore: making sure Autorun is disabled on your Windows PCs. We have blogged about this on numerous occasions, including this 2010 post about Autorun/Autoplay in Windows 7, with links to helpful Windows XP and Vista patches.
With many thanks to the folks in Customer Care who provided much of the information about Win32/Pronny and its removal.
Author Stephen Cobb, ESET