Its source code Njw0rm RAT (remote access Trojan) was leaked in May 2013 from a website that hosts malware and is believed to have been used as a launching pad by malicious developers to create new malware.
Kjw0rm (v2.0 and v0.5x) and Sir DoOom in circulation have many similarities to Njw0rm RAT, also known as njrat.
Although the two malware have been deployed in Visual Basic Script and the original was built with AutoIt, there are similarities that one can not ignore, such as the multiplier method they use.
Michael Marcos, a Trend Micro researcher, reports that all three malware infect the computer through removable devices and create shortcut icons for normal folders that lead to malware.
However, Sir DoOom itself creates a set of folders (videos, photos, movies, games, and DCIM) that lead to malicious executables. Kjw0rm, on the other hand, simply hides the folders present at the root of the removable storage device and creates connections that lead to them.
Η development είναι εμφανής και στις δύο παραλλαγές Kjw0rm και Sir DoOom, καθώς περισσότερες πληροφορίες είναι διαθέσιμες στον πίνακα ελέγχου του κακόβουλου λογισμικού. Υπάρχει η δυνατότητα ελέγχου εγκατεστημένων προϊόντων ασφαλείας (antivirus, firewall), των εκδόσεων του .NET, καθώς και των πληροφοριών του συστήματος (CPU, GPU, product ID και κλειδί λειτουργικού)
The possibilities of malware have increased since they also have management software (close, uninstall, restart), run remote shell, download and execute files. In the case of Sir DoOom the developers also added a complete Bitcoin miner.
Both Kjw0rm and Sir DoOom have built-in anti-scanning mechanisms that can detect virtual machines. When such an isolated environment is detected, the malware simply uninstalls and terminates its activity, making it undetectable by researchers security more difficult.
Michael Marcos takes care of all available removable drives that come from suspicious or unreliable sources. It also needs control over all the shortcuts that seem to lead to legitimate envelopes. This would indicate malicious activity on your computer.