Pramro and Sality – two PEs in a pod

The second of the families added to the February release of the Microsoft Malicious Software Removal Tool (MSRT) is Win32/Pramro. Win32/Pramro is a family of trojans that can act as a SOCKS proxy on an infected computer. In this case, this proxy may be used to relay spam and HTTP traffic. Detection was first added for Pramro variants in January 2008.

There is a strong connection with the polymorphic file infector Win32/Sality, which shares portions of code with Pramo. For example, let’s examine one of the encrypted files which is currently downloaded by a variant of Worm:Win32/Sality.AU from the host ‘’.  If we apply the key ‘GdiPlus.dll’ and a modified RC4 algorithm, the resultant output is a PE file. This file is detected as TrojanProxy:Win32/Pramro.F.

Image 1 - View of Pramro using a file viewer utility

Image 1 – View of Pramro using a file viewer utility

xamining this particular Win32/Pramro variant, we can see that it employs the same key and decryption algorithm as this Win32/Sality variant.

 Pramro decryption algorithm

Looking closely at some detection statistics from MSRT, we observe that variants of Win32/Pramro have been reported on 104,120 unique machines during the first week of release. The majority of the affected machines were running Windows XP (81.8%), followed by Windows 7 (12.9%). For the machines which reported a variant of Win32/Pramro, the prevalence distribution of all detection reported by MSRT is listed in the following table. As expected, the connection to Win32/Sality is supported by our data.

Table 1 - MSRT detection statistics

Table 1 – MSRT detection statistics

The geographical breakdown of machines which reported a Win32/Pramro variant appears as:

Table 2 - Geographic distribution of Pramro

Table 2 – Geographic distribution of Pramro

Interestingly, the top reported file MD5: 543b96731b80fc30a7583bd22cd0d567 / SHA1: 1B9E07EAAF512DA72850612AC6D41207D4340E3C was reported on 76,690 unique machines. This appears to be the most current variant of Win32/Pramro. It was first reported in the wild from our customers in the first week of January 2012 and the encrypted copy is still available at location(s) used by Win32/Sality. This suggests that MSRT was cleaning computers with an active Win32/Pramro infection.

Scott Molenkamp
MMPC, Melbourne

Comments (0)