MORTO


 ALIASES:

W32.Morto, Worm:Win32/Morto, Net-Worm.Win32.Morto, W32/Morto, Mal/Morto

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware, Downloaded from the Internet,Arrives as component of malware/grayware packages, Propagates via Remote Desktop Protocol


The MORTO malware family is known for using the Remote Desktop Protocol to propagate. Variants may be dropped by other malware or may be downloaded unknowingly by users when visiting malicious sites. Variants may also arrive as components of other malware packages.

Variants search for Remote Desktop Servers associated with the infected system and attempts to log in as an administrator. These use a predefined list of passwords in order to gain access. This allows cybercriminals to obtain complete access to an infected system. A cybercriminal is given full control, not only of the infected system, but also of a whole network since the malware logs in using an administrator account. The administrator-level access of the cybercriminal means that anything can be done to the system, including information theft.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Terminates processes

Installation

This worm drops the following file(s)/component(s):

  • %Windows%\clb.dll
  • %Windows%\Offline Web Pages\cache.txt
  • %Windows%\ntshrui.dll

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following non-malicious files:

  • %System%\Sens32.dll
  • %Windows%\Offline Web Pages\{yyyy-mm-dd numbers}
  • %Windows%\Offline Web Pages\1.40_TestDdos

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\WPA
it = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
id = "1293D1C15VAVUJTN"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
ie = "%current folder%\{malware name}.exe"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
md = "{compressed malware code}"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
sr = "Sens"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
sn = "6to4"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Windows
NoPopUpsOnBoot = "1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
6to4\Parameters
ServiceDLL = "%Windows%\ntshrui.dll"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
SENS\Parameters
ServiceDLL = %System%\Sens32.dll

(Note: The default value data of the said registry entry is ServiceDLL = %System%\sens.dll.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\SvcHost
netsvcs = 6to4 {default values}

(Note: The default value data of the said registry entry is {default values}.)

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.38.82
  • {BLOCKED}.be
  • {BLOCKED}.cc
  • {BLOCKED}fo
  • {BLOCKED}t
  • {BLOCKED}.be
  • {BLOCKED}.cc
  • {BLOCKED}t

Related Blog Entries