First posted on 09 June 2012.
Worm:JS/Morph.A is also known as JS/Morpheus.A.1 (Avira), JS.Worm.Phremous.A (BitDefender), JS/AutoRun.NAE (ESET), Worm.JS.Morph (Ikarus), Trojan-Downloader.JS.Agent.gqi (Kaspersky), HTA/Autorun.worm.gh (McAfee), Troj/Agent-WCZ (Sophos), JS.Phremous (Symantec).
Worm:JS/Morph.A is a worm that spreads to all disk drives, including removable drives and network shares, as a file named "M0rPheS.tpl". This worm could download other malware to your infected computer.
This worm could copy itself to your computer if you accessed an infected drive and opened shortcut links that appear as folders to view the drive contents. When run, Morph creates hidden folders on your computer, as in the following:
- %USERPROFILE% \msn
Note: %USERPROFILE% is a user profile folder specific to the logon account name and varies from Windows XP to Vista and beyond, as in the following typical Windows installation:
Windows XP - C:\Documents and Settings\<user name>
Windows Vista above - C:\Users\<user name>
Morph drops a copy of the worm as a file named "M0rPheuS.tpl" into various folders of your computer, as in the following:
- %USERPROFILE%\Start Menu\M0rPheuS.tpl
- %USERPROFILE%\My Documents\M0rPheuS.tpl
- %USERPROFILE%\Start Menu\Programs\M0rPheuS.tpl
- %USERPROFILE%\Start Menu\Programas\M0rPheuS.tpl
The worm then hides the following folders:
- %USERPROFILE%\Start Menu
- %USERPROFILE%\My Documents
- %USERPROFILE%\Start Menu\Programs
- %USERPROFILE%\Start Menu\Programas
Morph then creates shortcut links by the same name as the hidden folders, and uses a file folder icon. When you hover the mouse over the shortcut, the words "Carpeta de archivo" are displayed:
If you double-click the above shortcut, it runs the worm and opens the "Program Files" folder. The shortcut is detected as Worm:JS/Morph.A!lnk.
The worm copies itself across all accessible drives, including removable drives and network shares as the file "M0rPheuS.tpl". The worm hides folders found on the target drive, and creates shortcut links that have the same name as the hidden file folders. Opening the shortcut runs the worm and opens the hidden file folder.
Downloads other threats
Worm:JS/Morph.A attempts to download other malware to the folder %USERPROFILE%\msn (e.g. C:\Users\<user name>\msn):
- update_m0rpheus.js - downloaded from the IP address 220.127.116.11 and detected as TrojanDownloader:JS/Morph.C
- msnmsgr.tpl - detected as Worm:JS/Morph.C
- m2012_04.exe - detected as TrojanSpy:Win32/Spyeks.B
- m2012_04.tt - detected as TrojanSpy:Win32/Spyeks.B
- a.txt - detected as Worm:Win32/Autorun!inf
- d.tpl - detected as TrojanDownloader:JS/Adodb
- Informacion Importante.lnk - detected as TrojanDownloader:BAT/Lnkget.AU
- mailpv.exe - detected as HackTool:Win32/Mailpassview
- mailpv.tt - detected as HackTool:Win32/Mailpassview
- Mejores Amigos.lnk - detected as TrojanDownloader:BAT/Lnkget.AU
If Worm:JS/Morph.C is downloaded and run by TrojanDownloader:JS/Morph.C, it attempts to terminate processes matching the following file names:
- avgnt.exe - Avira Internet Security
- avguard.exe - Avira Internet Security
- avshadow.exe - Avira Internet Security
- chrome.exe - Google Chrome web browser
- firefox.exe - Mozilla Firefox web browser
- GoogleUpdate.exe - software update program for Google applications
- msnmsgr.exe - Windows Live Messenger
- GoogleCrashHandler.exe - program that sends crash details and other data to Google for products such as Google Chrome
Creates a new user account
Worm:JS/Morph.C attempts to add a user named "M0rpheus" with password "M0rpheusHacker". Morph then adds the user to the local "Administradores" and "Administrators" groups, which gives the account administrator privileges.
Although Worm:JS/Morph can spread to English-based Windows systems, it was written with Spanish Windows in mind, as evident by references to the worm shortcut as "Carpeta de archivo" (archive file folder). Also, one of the scripts attemtps to use the icon for Windows Live Messenger from the following static folder location:
C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe
Additionally, the IP address 18.104.22.168 is located in Mexico.
Analysis by Wei Li
Last update 09 June 2012