Its source code Njw0rm RAT (remote access Trojan) leaked in May of 2013 from a malicious web site that is believed to have been used as a starting point by malicious developers to create new malware.
Kjw0rm (v2.0 and v0.5x) and Sir DoOom in circulation have many similarities to Njw0rm RAT, also known as njrat.
Although the two malware have been deployed in Visual Basic Script and the original was built with AutoIt, there are similarities that one can not ignore, such as the multiplier method they use.
Michael Marcos, a Trend Micro researcher, reports that all three malware infect the computer through removable devices and create shortcut icons for normal folders that lead to malware.
However, Sir DoOom also creates a set of folders (videos, photos, movies, games, and DCIM) that lead to malicious executables. Kjw0rm, on the other hand, simply hides the folders in the root of the removable storage device and creates links that lead to them.
Evolution is evident in both Kjw0rm and Sir DoOom, as more information is available on the malware control panel. There is the ability to control installed security products (antivirus, firewall), .NET versions, and system information (CPU, GPU, product ID, and operating key)
The malware features have increased since they also have management software (close, uninstall, restart), run remote shell, download and run files. In the case of Sir DoOom, developers also added a complete Bitcoin miner.
Both Kjw0rm and Sir DoOom have built-in anti-resolution mechanisms that can detect virtual machines. When such an isolated environment is detected, malware simply removes the installation and shuts down its activity, making it more difficult for security researchers to detect.
Michael Marcos takes care of all available removable drives that come from suspicious or unreliable sources. It also needs control over all the shortcuts that seem to lead to legitimate envelopes. This would indicate malicious activity on your computer.