Home / malwarePDF  

Worm:Win32/Morto.F


First posted on 24 March 2012.
Source: Microsoft

Aliases :

Worm:Win32/Morto.F is also known as W32/Morto.YM (Norman), BackDoor.Morto.1 (Dr.Web), Win32/Morto.O worm (ESET), Worm.Win32.Morto (Ikarus), Worm.Win32.Mort.c (Kaspersky), Worm.Win32.Morto.h (Rising AV), Troj/Morto-D (Sophos), WORM_MORTO.AS (Trend Micro).

Explanation :

Worm:Win32/Morto.F is the DLL component of the Win32/Morto worm family. It executes the main component on the affected computer. It spreads across a network via Remote Desktop connections.


Top

Worm:Win32/Morto.F is the DLL component of the Win32/Morto worm family. It executes the main component on the affected computer. It spreads across a network via Remote Desktop connections.



Installation

Worm:Win32/Morto.F is a DLL file that executes the main Morto payload. It is installed as either of the following files:

  • %windir%\clb.dll
  • %windir%\offline web pages\cache.txt


Note that a legitimate file also named "clb.dll" exists by default in the Windows system folder. Because of how files in Windows are searched for and run, the malware file "clb.dll" is actually run instead of the legitimate file.

Spreads via...

Network access via RDP port 3389

Win32/Morto attempts to spread to other computers by checking for those connected via RDP sessions to other computers by default. It also enumerates IP addresses on the affected computer's subnet and attempts to connect to these computers using certain user names and passwords.



Payload

Runs the main Morto component

If Worm:Win32/Morto.F is running as a service or within the context of the "rundll32.exe" process, it attempts to read the payload component in the drive "\\TsClient\A\Moto", which is a drive used by the Morto family to spread. It then compares the data stored in this drive to that saved in the subkey "HKLM\SYSTEM\Wpa\a". If the data is identical, it executes the Morto payload component, which may be to terminate processes or perform denial of service (DoS) attacks.



Analysis by Jireh Sanico

Last update 24 March 2012

 

TOP