The new malware based their propagation routines on njw0rm. New functions for Kjw0rm and the Sir DoOom worm Propagation Routines We’re also seeing new functions for both Kjw0rm versions and the Sir DoOom worm.įigure 4. New fields for Kjw0rm and the Sir DoOom worm The new malware added a lot more information in the Control Panel view of the malware builder, compared to that of the Njw0rm version in May 2013.įigure 3. Top: Ports for kjw0rm V2.0 and Kjw0rm 0.5x, respectively, Bottom: port for Sir DoOom w0rm Looking at Control Panels The Sir DoOom worm requires the builder to ‘Run as Administrator’ for it to work.įigure 2. Similar to Njw0rm, the new malware we found asks the attacker to assign a port to open for incoming traffic, with the default values being Port 1991, Port 1010 for kjw0rm, and Port 4000 for the Sir DoOom w0rm. The new malware are coded in Visual Basic Script, unlike its earlier version, Njw0rm, which was compiled with AutoIt. The Sir DoOoM worm was also discovered in the same site last December 2014. We discovered two versions of Kjw0rm (V2.0 and 0.5X) being shared in in January 2014 and December 2014 respectively. The leaking of Njw0rm’s source code last May 2013 in known hacking websites like and led me to the conclusion that cybercriminals found a way to leverage the worm and backdoor capabilities in Njw0rm to create new malware with added functionalities.
One of the notable topics in the forum talked about new malware “kjw0rm” (or HKTL_KJWORM) and a worm named “Sir DoOom,” (or HKTL_DOOMWORM) which both came about after the release of the Njw0rm malware source code in the same forum. (Click the image above to enlarge) Malware from Njw0rm Source Code Screenshot of the “Protection Devices” section under. Under this section was a forum written in Arabic, which may suggest that an Arabic-speaking country is behind it.įigure 1. I explored the site and found that they host malware under the “Protection Devices” section in their website. In the middle of my research on the remote access Trojan (RAT) known as “njrat” or “Njw0rm”, I stumbled upon, a site that disguises itself as a site for “IT enthusiasts” but actually hosts various downloaders, different types of spyware, and RATs.
0 kommentar(er)
