Its source code Njw0rm RAT (remote access Trojan) leaked in May of 2013 from a malicious web site that is believed to have been used as a starting point by malicious developers to create new malware.
Kjw0rm (v2.0 and v0.5x) and Sir DoOom in circulation have many similarities to Njw0rm RAT, also known as njrat.
Despite the fact that the two malware have been developed in Visual Basic Script and the prototype was built with AutoIt, there are similarities that one cannot ignore, such as the multiplication method they use.
Michael Marcos, a Trend Micro researcher, reports that all three malware infect the computer through removable devices and create shortcut icons for normal folders that lead to malware.
However, Sir DoOom also creates a set of folders (videos, photos, movies, games, and DCIM) that lead to malicious executables. Kjw0rm, on the other hand, simply hides the folders in the root of the removable storage device and creates links that lead to them.
The evolution is evident in both Kjw0rm and Sir DoOom variants, as more information is available in the malware control panel. It is possible to check installed productof security (antivirus, firewall), .NET versions, as well as system information (CPU, GPU, product ID and OS key)
The malware features have increased since they also have management software (close, uninstall, restart), run remote shell, download and run files. In the case of Sir DoOom, developers also added a complete Bitcoin miner.
Both Kjw0rm and Sir DoOom have built-in anti-resolution mechanisms that can detect virtual machines. When such an isolated environment is detected, malware simply removes the installation and shuts down its activity, making it more difficult for security researchers to detect.
Michael Marcos beware of all available removable drives that come from suspicious or untrustworthy sources. Also needed control to all shortcuts that appear to lead to legitimate folders. This would be an indication that there is malicious activity on your computer.
