Evolved versions of the kjw0rm and Sir DoOoM malware are being developed on a bogus 'computer enthusiast site', according to researchers at Trend Micro.
Michael Marcos, threat response engineer at Trend Micro, said in a blog post that he uncovered the malware while examining the Arabic language dev-point.com forum.
"One of the notable topics in the forum talked about new malware ‘kjw0rm' and a worm named ‘Sir DoOom,' which both came about after the release of the Njw0rm malware source code in the same forum," he explained.
The Njw0rm's source code was leaked in May 2013. The evolved kjw0rm is currently available in two versions, both of which have advanced infiltration and infection mechanisms.
The first Kjw0rm V2.0 appeared initially on the forum in January 2014, while the updated 0.5X version and new Sir DoOoM malware followed in December.
The V2.0 malware is the most basic of the three and reportedly hides itself in bogus files within infected systems.
"The propagation method of this malware targets all folders in the root directory of the removable drive," read the advisory.
V0.5X follows a developed version of the same tactic, and Sir DoOoM adds an anti-virtual machine capability.
"[V0.5X] obfuscated some portions of the malware code. The malware author utilises an obfuscator tool that converts characters to hex values, adds filler functions, and performs computations that make analysis more difficult and time-consuming," explained Marcos.
"[Sir DoOoM] also has an anti-virtual machine routine. It first searches for a list of the installed programs in the affected computer.
"If this variant found itself in a computer where a virtual machine program is installed, it will uninstall and terminate itself from the affected system. This prevents analysts testing to determine malware behaviour."
Trend Micro senior engineer Bharat Mistry told V3 that the variants are dangerous as they add several advanced functions.
"Previous versions were there mainly for password stealing from browsers. As the malware has evolved, after the initial infections it now has the ability to download and execute Visual Basic code [VBS]," he said.
"VBS is a powerful coding language and can be used to interact directly with the operating system on the infected device.
"Also it now has the ability to recognise if it is being used in a security testing environment known as a sandbox by looking for the presence of a virtual machine.
"Finally the replication has also advanced with the use of hidden files on removable storage devices such as USB sticks."
He added that the new powers could be used to mount a variety of attacks.
"The malware can be used to perform a number of different functions, including download, installation and execution of additional files or tools to potentially gain administrator or privilege credentials," he said.
"Once this is gained hackers then have the ability to move laterally in the organisation and start looking for crown jewels or simply advertise that a point of presence has been created in a organisation that could then be ‘rented' out to perform attacks, such as DDoS."
In fear of future shortage - or in preparation for its own electric car project?
New Spectre microcode patches released by Intel to fix security flaws in Skylake, Kaby Lake and Coffee Lake CPUs
But if you're running anything older you'll have to wait
Powered by servers based on Qualcomm's scalable 48-core Centriq 2400 10nm CPUs
Malware has been in circulation for more than a year