First posted on 20 June 2012.
Worm:Win32/Morto.gen!B is also known as W32/Morto.CDF (Norman), Win32/Morto.Q worm (ESET).
Worm:Win32/Morto.gen!B is the DLL component of the Win32/Morto worm family. It executes the main component on the affected computer. It spreads across a network via Remote Desktop connections.
Worm:Win32/Morto.gen!B is a DLL file that executes the main Morto payload. It is installed as either of the following files:
- %windir%\offline web pages\cache.txt
Note that a legitimate file also named "clb.dll" exists by default in the Windows system folder. Because of how files in Windows are searched for and run, the malware file "clb.dll" is actually run instead of the legitimate file.
It also accesses the encrypted binary blob written by the main £Morto$ dropper into the registry key HKLM\SYSTEM\WPA\md.
Network access via RDP port 3389
Win32/Morto attempts to spread to other computers by checking for those connected via RDP sessions to other computers by default. It also enumerates IP addresses on the affected computer's subnet and attempts to connect to these computers using certain user names and passwords.
Runs the main Morto component
If Worm:Win32/Morto.gen!B is running as a service or within the context of the "rundll32.exe" process, it attempts to read the payload component in the drive "\\TsClient\A\Moto", which is a drive used by the Morto family to spread. It then compares the data stored in this drive to that saved in the subkey "HKLM\SYSTEM\Wpa\a". If the data is identical, it executes the Morto payload component, which may be to terminate processes or perform denial of service (DoS) attacks.
Analysis by Jeong Mun
Last update 20 June 2012