Classification

Category :

Malware

Type :

Worm

Aliases :

Prune, Iraq Crisis, UN_Interview

Summary

Prune is a Visual Basic Script worm which spreads via email, mIRC and network shares.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Prune.A

Once executed the Prune worm copies itself as "UN_Interview.txt.vbs" in C:\Windows folder. Then it runs three routines that will spread it via email, mIRC and network followed by a payload.

Email spreading

The worm uses MS Outlook application to spread to all contacts listed in each address book. The infected email message looks as follows:

Subject: US Goverment Material - Iraq Crisis
Body: [empty]
Attachment: UN_Interview.txt.vbs

After the mass mailing is done the worm deletes the sent messages.

mIRC spreading

Prune attempts to spread via mIRC by checking for the presence of mirc.ini file in C:\mirc folder and if such is found it tries to send "UN_Interview.txt.vbs" when the user joins a channel.

Network spreading

Prune worm scans a range of specific IP addresses and searches for shared "C" drives. For each such found drive the worm maps it as T: drive and tries to copies itself as "UN_Interview.txt.vbs" in Windows Startup folder. During this routine the worm creates a file HCKD.txt in which it saves the result of the IP scanning. The specific IP address used by Prune worm belongs to Washington University.

Prune also creates Autoexec.bat file on the mapped drive that simply runs the worm code.

The worm carries within itself the code of a picture, which it drops in TEMP folder as Peach.jpg and opens it.

The picture seems to give an answer to the question asked in the 'peach' game in the first PDF script worm Peachy. For more information on Peachy worm see:

https://www.f-secure.com/v-descs/pdf.shtml

Payload

When the system date is 1st of the month, Prune worm copies itself additionally in 39 files on C:\UNZIPPED and C:\WINDOWS\DESKTOP directories using several file names such as:

C:\UNZIPPED\DAMN_SOURCE.MPEG
C:\WINDOWS\DESKTOP\CUNT-EAT-CUM.MP3
C:\WINDOWS\DESKTOP\www.SEX-MOVIES2.MPEG
etc.

Then it shows a message box with the following text:

"Coming from NoWhere?!.."
"XXX - I Love pr00n.. I want Sex - XXX "

When the date is 1st, 2nd, 3rd, 4th or 5th of the month Prune worm tries to erase the files from Windows installation folded, Windows System folder or from the C: drive.

When the system date is 5th of the month Prune shows another message box:

" PATZAK worm ver 1.0"
"You have been infected by Patzak Worm v1.0 / All your data has been
earased! - Keyboard: Disabled / Mouse: Disabled / Data: EARASED(LOL!)"

F-Secure Anti-Virus detects Prune worm with the heuristics.