Its source code Njw0rm RAT (remote access Trojan) was leaked in May 2013 by a website hosting malicious λογισμικό και πιστεύεται ότι έχει χρησιμοποιηθεί σαν σημείο εκκίνησης από κακόβουλους προγραμματιστές για να δημιουργήσουν νέα malware.
Kjw0rm (v2.0 and v0.5x) and Sir DoOom in circulation have many similarities to Njw0rm RAT, also known as njrat.
Although the two malware have been deployed in Visual Basic Script and the original was built with AutoIt, there are similarities that one can not ignore, such as the multiplier method they use.
Michael Marcos, a Trend Micro researcher, reports that all three malware infect the computer through removable devices and create shortcut icons for normal folders that lead to malware.
However, Sir DoOom also creates a set of folders (videos, photos, movies, games, and DCIM) that lead to malicious executables. Kjw0rm, on the other hand, simply hides the folders in the root of the removable storage device and creates links that lead to them.
The evolution is evident in both Kjw0rm and Sir DoOom variants, as more information is available on the malware control panel. It is possible to check installed security products (antivirus, firewall), .NET versions, as well as system information (CPU, GPU, product ID and OS key)
The malware features have increased since they also have management software (close, uninstall, restart), run remote shell, download and run files. In the case of Sir DoOom, developers also added a complete Bitcoin miner.
Both Kjw0rm and Sir DoOom have built-in anti-analysisς που μπορούν να ανιχνεύσουν virtual machines. Όταν εντοπίζεται ένα τέτοιο απομονωμένο περιβάλλον, το κακόβουλο λογισμικό απλά καταργεί την εγκατάσταση και τερματίζει τη δραστηριότητά του, καθιστώντας την ανίχνευση του από τους ερευνητές ασφάλειας πιο δύσκολη.
Michael Marcos takes care of all available removable drives that come from suspicious or unreliable sources. It also needs control over all the shortcuts that seem to lead to legitimate envelopes. This would indicate malicious activity on your computer.
