Once executed the Prune worm copies itself as "UN_Interview.txt.vbs" in
C:\Windows folder. Then it runs three routines that will spread it
via email, mIRC and network followed by a payload.
The worm uses MS Outlook application to spread to all contacts listed
in each address book. The infected email message looks as follows:
Subject: US Goverment Material - Iraq Crisis
After the mass mailing is done the worm deletes the sent messages.
Prune attempts to spread via mIRC by checking for the presence of
mirc.ini file in C:\mirc folder and if such is found it tries to
send "UN_Interview.txt.vbs" when the user joins a channel.
Prune worm scans a range of specific IP addresses and searches for
shared "C" drives. For each such found drive the worm maps it as T:
drive and tries to copies itself as "UN_Interview.txt.vbs" in Windows
Startup folder. During this routine the worm creates a file HCKD.txt
in which it saves the result of the IP scanning. The specific IP
address used by Prune worm belongs to Washington University.
Prune also creates Autoexec.bat file on the mapped drive that simply
runs the worm code.
The worm carries within itself the code of a picture, which it drops in
TEMP folder as Peach.jpg and opens it.
The picture seems to give an answer to the question asked in the
'peach' game in the first PDF script worm Peachy. For more
information on Peachy worm see:
When the system date is 1st of the month, Prune worm copies
itself additionally in 39 files on C:\UNZIPPED and C:\WINDOWS\DESKTOP
directories using several file names such as:
Then it shows a message box with the following text:
"Coming from NoWhere?!.."
"XXX - I Love pr00n.. I want Sex - XXX "
When the date is 1st, 2nd, 3rd, 4th or 5th of the month Prune worm
tries to erase the files from Windows installation folded, Windows
System folder or from the C: drive.
When the system date is 5th of the month Prune shows another message box:
" PATZAK worm ver 1.0"
"You have been infected by Patzak Worm v1.0 / All your data has been
earased! - Keyboard: Disabled / Mouse: Disabled / Data: EARASED(LOL!)"
F-Secure Anti-Virus detects Prune worm with the heuristics.
[Analysis: Katrin Tocheva; F-Secure Corp.; March 12th, 2003]