Home / malwarePDF  

Worm:Win32/Morto.A


First posted on 30 August 2011.
Source: SecurityHome

Aliases :

Worm:Win32/Morto.A is also known as Trojan horse Generic24.OJQ (AVG), Trojan.DownLoader4.48720 (Dr.Web), Win-Trojan/Helpagent.7184 (AhnLab), Troj/Agent-TEE (Sophos), Backdoor:Win32/Morto.A (Microsoft).

Explanation :

Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.
Top

Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.



Installation
The malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.

When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll, as well asc:\windows\offline web pages\cache.txt. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.

The name clb.dll is chosen because this is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This DLLhas encrypted configuration information appended to it in order to download and execute new components.

The following files are also created by the malware:

  • %windows%\temp\ntshrui.dll
  • <system folder>\sens32.dll
  • c:\windows\offline web pages\cache.txt - detected as Worm:Win32/Morto.A


The following registry modifications are made to load the DLLs as services upon system boot:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: "Description"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets value: "DependOnService"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\sens32.dll"

Initially, these files are clean and benign DLLs. They are used to load clb.dll in the same way as regedit. They may be replaced later on with malicious components which are downloaded to:

  • c:\windows\offline web pages\cache.txt


and replace sens32.dll via a value in the following registry subkey:

  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations


Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read by clb.dll, loaded and executed. This contains the worm functionality (see below for additional detail).

Spreads via€¦

Compromising Remote Desktop connections on a network: Port 3389 (RDP)

Worm:Win32/Morto.gen!A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems using the following user names:

1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5

with the following passwords:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

If the worm is successful at logging into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is temporarily mapped to A: (both of which are remotely executed on the remote system by way of the \\tsclient\a share).

The file r.reg, contains the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"EnableLUA"=dword:0

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"

The intention of importing this reg file appears to be to modify the registry to ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's DLL, clb.dll does too.



Payload

Contacts remote host

Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:

210.3.38.82
jifr.info
jifr.co.cc
jifr.co.be
qfsl.net
qfsl.co.cc
qfsl.co.be

Newly downloaded components are downloaded to a filename that uses the following format:

~MTMP<4 digits 0-f>.exe

Performs Denial of Service attacks

Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.

Terminates processes

Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

ACAAS
360rp
a2service
ArcaConfSV
AvastSvc
avguard
avgwdsvc
avp
avpmapp
ccSvcHst
cmdagent
coreServiceShell
ekrn
FortiScand
FPAVServer
freshclam
fsdfwd
GDFwSvc
K7RTScan
knsdave
KVSrvXP
kxescore
mcshield
MPSvc
MsMpEng
NSESVC.EXE
PavFnSvr
RavMonD
SavService
scanwscs
SpySweeper
Vba32Ldr
vsserv
zhudongfangyu

Additional information

Morto stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry values:

HKLM\SYSTEM\Wpa\it
HKLM\SYSTEM\Wpa\id
HKLM\SYSTEM\Wpa\sn
HKLM\SYSTEM\Wpa\ie
HKLM\SYSTEM\Wpa\md
HKLM\SYSTEM\Wpa\sr

It also makes the following registry modification:

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets value: "NoPopUpsOnBoot"
With data: "1"



Analysis by Matt McCormack

Last update 30 August 2011

 

TOP

Malware :

Family: