Vjw0rm is a worm that infects accessible removal storage devices, such as a USB flash drive. It can also execute instructions it receives from a command and control (C&C) server, and stay persistent on the infected machine.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The Vjw0rm worm is a malicious JavaScript file that spreads by creating copies of itself on accessible removable storage devices.
While active, the worm sends a network request to its C&C server every 7 seconds, providing information about the infected machine and awaiting additional instructions from its operator(s). If it receives instructions, the worm can execute them on the infected machine.
This worm can arrive on a computer in several ways:
Once it is present on a computer, the worm can propagate or spread copies of its malicious file by infecting removable storage devices that are inserted and accessible. It does so by performing the following set of actions every 7 seconds:
In addition to propagating itself to maintain its presence, the worm can remain persistent on the infected machine in several ways:
Vjw0rm contacts a remote C&C server to provide its operator(s) with information about the infected machine, as well as to retrieve any additional instructions they may issue.
Every 7 seconds, the worm sends a POST request with a custom User-Agent to its C&C server. This allows the worm's operator(s) to identify which infected machines are online (and so are available to receive commands), as well as providing some basic information about the machines.
The request can be defined as:
POST [host]:[port]/Vre User-Agent: [tag]\[logicaldiskserialnum]\[computername]\[username] \[osnamever]\[avdisplayname]\\[vbc_exist]\[prev_infected]\
Where the variables are:
An example of the POST request:
POST 94[.]237[.]68[.]129[:]2828/Vre User-Agent: HookKernel_A8D34214\MYCOMPUTER\Joe\Microsoft Windows 7 Professional\undefined\\YES\FALSE\
The worm's operator(s) can send a response to the infected machine's POST request that contains commands for the machine to execute. The response can be defined as:
[command][SPL][arg1][SPL][arg2]
Where the variables are:
An example of a response that gives instructions to drop and execute an additional script would be:
Sc|V|somescript|V|randomstring.ext
Where Sc is the command for executing an additional malicious module/script, somescript is the actual payload, randomstring is a randomly generated filename, and ext is the extension selected by the operator on the C&C server.
Vjw0rm is also able execute 5 distinct commands, any of which it can receive from the C&C as a response to a POST request. The commands are:
Analysis on file: d6636b527c02e882fc8d64eda18b4aafde8afec2