MORTO
W32.Morto, Worm:Win32/Morto, Net-Worm.Win32.Morto, W32/Morto, Mal/Morto
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
The MORTO malware family is known for using the Remote Desktop Protocol to propagate. Variants may be dropped by other malware or may be downloaded unknowingly by users when visiting malicious sites. Variants may also arrive as components of other malware packages.
Variants search for Remote Desktop Servers associated with the infected system and attempts to log in as an administrator. These use a predefined list of passwords in order to gain access. This allows cybercriminals to obtain complete access to an infected system. A cybercriminal is given full control, not only of the infected system, but also of a whole network since the malware logs in using an administrator account. The administrator-level access of the cybercriminal means that anything can be done to the system, including information theft.
TECHNICAL DETAILS
Installation
This worm drops the following file(s)/component(s):
- %Windows%\clb.dll
- %Windows%\Offline Web Pages\cache.txt
- %Windows%\ntshrui.dll
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It drops the following non-malicious files:
- %System%\Sens32.dll
- %Windows%\Offline Web Pages\{yyyy-mm-dd numbers}
- %Windows%\Offline Web Pages\1.40_TestDdos
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\WPA
it = "{hex values}"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
id = "1293D1C15VAVUJTN"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
ie = "%current folder%\{malware name}.exe"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
md = "{compressed malware code}"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
sr = "Sens"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
sn = "6to4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Windows
NoPopUpsOnBoot = "1"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
6to4\Parameters
ServiceDLL = "%Windows%\ntshrui.dll"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
SENS\Parameters
ServiceDLL = %System%\Sens32.dll
(Note: The default value data of the said registry entry is ServiceDLL = %System%\sens.dll.)
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\SvcHost
netsvcs = 6to4 {default values}
(Note: The default value data of the said registry entry is {default values}.)
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.38.82
- {BLOCKED}.be
- {BLOCKED}.cc
- {BLOCKED}fo
- {BLOCKED}t
- {BLOCKED}.be
- {BLOCKED}.cc
- {BLOCKED}t