Home / malwarePDF  

Worm:Win32/Morto.C


First posted on 29 November 2011.
Source: SecurityHome

Aliases :

There are no other names known for Worm:Win32/Morto.C.

Explanation :

Worm:Win32/Morto.C is malware that performs the main payload for Worm:Win32/Morto.gen!A, Worm:Win32/Morto.A, and Worm:Win32/Morto.B.


Top

Worm:Win32/Morto.C is malware that performs the main payload for Worm:Win32/Morto.gen!A, Worm:Win32/Morto.A, and Worm:Win32/Morto.B.



Installation

Worm:Win32/Morto.C is a DLL file that performs the main Morto payload.

When executed, it is installed as the following files:

  • %windir%\clb.dll
  • %windir%\offline web pages\cache.txt


If updated by the malware, a back-up of the first file is created as "clb.dll.bak".

Note that a legitimate file also named "clb.dll" exists by default in the Windows system folder. Because of how files in Windows are searched for and run, the malware file "clb.dll" is actually run instead of the legitimate file.

Spreads via...

Network access via RDP port 3389

Worm:Win32/Morto.C attempts to spread to other computers by checking for those connected via RDP sessions to other computers by default. It also enumerates IP addresses on the affected computer's subnet and attempts to connect to these computers using certain user names and passwords



Payload

Contacts remote host

Worm:Win32/Morto.C connects to the following hosts to download additional information and update its components:

  • fc<random number>.j<removed>mt.net
  • j<removed>fr.co.be
  • j<removed>fr.co.cc
  • j<removed>fr.info
  • j<removed>fr.net
  • qf<removed>l.co.be
  • qf<removed>l.co.cc
  • qf<removed>l.net
  • sc.j<removed>mt.net


Newly downloaded components are saved as files using the following naming format:

<random characters>~MTMP<4 hexadecimal digits>.exe

Performs denial of service attacks

Worm:Win32/Morto.C may be ordered to perform denial-of-service (DoS) attacks against specified targets.

Terminates security processes

Worm:Win32/Morto.C terminates processes that contain the following strings in their name. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

  • 360rp
  • ACAAS
  • ArcaConfSV
  • AvastSvc
  • FPAVServer
  • FortiScand
  • GDFwSvc
  • K7RTScan
  • KVSrvXP
  • MPSvc
  • MsMpEng
  • NSESVC.EXE
  • PavFnSvr
  • RavMonD
  • SavService
  • SpySweeper
  • Vba32Ldr
  • a2service
  • avguard
  • avgwdsvc
  • avpmapp
  • ccSvcHst
  • cmdagent
  • coreServiceShell
  • freshclam
  • fsdfwd
  • knsdave
  • kxescore
  • mcshield
  • scanwscs
  • vsserv
  • zhudongfangyu


Clears system event log

Worm:Win32/Morto.C deletes the following system event logs:

  • Application log
  • Security log
  • System log
Additional information

Worm:Win32/Morto.C reads configuration data from the subkey HKLM\SYSTEM\Wpa\md.



Analysis by Zarestel Ferrer

Last update 29 November 2011

 

TOP

Malware :

Family: