HKTL_DOOMWORM

This mew malware is related to the release of the Njw0rm malware source code found in early January 2015.

To get a one-glance comprehensive view of the behavior of this Hacking Tool, refer to the Threat Diagram shown below.

This hacking tool may be manually installed by a user.

Arrival Details

This hacking tool may be manually installed by a user.

NOTES:

This hacking tool listens on a user-specified port. It monitors the following information:

• Computer Name
• Country
• Firewall
• Hack date
• Installed antivirus
• Installed CPU and GPU
• IP address
• Malware version
• Operating system version
• Presence of removable drives
• Processor ID
• Product name, ID, and key
• RAM
• User name
• Victim's infection ID

It may perform the following actions:

• DDoS attack
• Computer shutdown, restart, log off
• Message via message box
• Bitcoin-mining
• Open http://www.{BLOCKED}equran.org
• Uninstall worm (Built by this hacking tool builder)
• Build .vbs worm malware

The behavior of the built malware depends on the specified option of the builder:

It connects to the specified IP and port. It may drop a shortcut file that points to a copy of itself in any of the following:

• %User Temp%\{Install Folder}\{Install Name}-DoOoM.lnk
• %Application Data%\{Install Folder}\{Install Name}-DoOoM.lnk
• %User Profile%\{Install Folder}\{Install Name}-DoOoM.lnk

It may drop a copy of itself in any of the following locations:

• %User Temp%\{Install Folder 2}\{Install Name}-DoOoM.vbs
• %Application Data%\{Install Folder 2}\{Install Name}-DoOoM.vbs
• %User Profile%\{Install Folder 2}\{Install Name}-DoOoM.vbs

The built malware may perform the following actions on the affected system.

• Force terminate the following Processes:
  • SpyTheSpy.exe
  • TiGeR-Firewall.exe
  • bavtray.exe
• Check if running under virtual machine
• Create a shortcut that will go to a specified url at every system startup
• Hide itself
• Propagate via Removable