Evolved versions of the kjw0rm and Sir DoOoM malware are being developed on a bogus 'computer enthusiast site', according to researchers at Trend Micro.
Michael Marcos, threat response engineer at Trend Micro, said in a blog post that he uncovered the malware while examining the Arabic language dev-point.com forum.
"One of the notable topics in the forum talked about new malware ‘kjw0rm' and a worm named ‘Sir DoOom,' which both came about after the release of the Njw0rm malware source code in the same forum," he explained.
The Njw0rm's source code was leaked in May 2013. The evolved kjw0rm is currently available in two versions, both of which have advanced infiltration and infection mechanisms.
The first Kjw0rm V2.0 appeared initially on the forum in January 2014, while the updated 0.5X version and new Sir DoOoM malware followed in December.
The V2.0 malware is the most basic of the three and reportedly hides itself in bogus files within infected systems.
"The propagation method of this malware targets all folders in the root directory of the removable drive," read the advisory.
V0.5X follows a developed version of the same tactic, and Sir DoOoM adds an anti-virtual machine capability.
"[V0.5X] obfuscated some portions of the malware code. The malware author utilises an obfuscator tool that converts characters to hex values, adds filler functions, and performs computations that make analysis more difficult and time-consuming," explained Marcos.
"[Sir DoOoM] also has an anti-virtual machine routine. It first searches for a list of the installed programs in the affected computer.
"If this variant found itself in a computer where a virtual machine program is installed, it will uninstall and terminate itself from the affected system. This prevents analysts testing to determine malware behaviour."
Trend Micro senior engineer Bharat Mistry told V3 that the variants are dangerous as they add several advanced functions.
"Previous versions were there mainly for password stealing from browsers. As the malware has evolved, after the initial infections it now has the ability to download and execute Visual Basic code [VBS]," he said.
"VBS is a powerful coding language and can be used to interact directly with the operating system on the infected device.
"Also it now has the ability to recognise if it is being used in a security testing environment known as a sandbox by looking for the presence of a virtual machine.
"Finally the replication has also advanced with the use of hidden files on removable storage devices such as USB sticks."
He added that the new powers could be used to mount a variety of attacks.
"The malware can be used to perform a number of different functions, including download, installation and execution of additional files or tools to potentially gain administrator or privilege credentials," he said.
"Once this is gained hackers then have the ability to move laterally in the organisation and start looking for crown jewels or simply advertise that a point of presence has been created in a organisation that could then be ‘rented' out to perform attacks, such as DDoS."
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance