Home / malwarePDF  

Worm:Win32/Morto.J


First posted on 12 May 2012.
Source: Microsoft

Aliases :

Worm:Win32/Morto.J is also known as TR/Tracur.C.1 (Avira), W32.Morto!gen2 (Symantec).

Explanation :



Worm:Win32/Morto.J is a worm that can spread during a Remote Desktop session when connecting an infected computer to another computer.



Installation

Worm:Win32/Morto.J may be present in the Windows path as the following:

  • %windir%\clb.dll
  • %windir%\Offline Web Pages\cache.txt


Note that a legitimate file "clb.dll" is present by default in the Windows system folder. Due to the Windows order of execution, the worm copy in the Windows folder would have priority and therefore run ahead the legitimate program.

The worm writes payload details to the following registry subkey:

  • HKLM\System\WPA\A
Spreads via...

Remote Desktop connections

Win32/Morto attempts to spread to other computers by checking for active Remote Desktop sessions that are using the RDP default port 3389. If the worm is successful at logging into a system, Win32/Morto creates (on that computer) a temporary share and maps a drive as "A:" to that share. Win32/Morto writes a copy of the worm and a payload component to the newly created share and then executes the worm remotely by referencing it as the following:

\\tsclient\a\Moto\<worm copy>

Network connections

Win32/Morto attempts to connect, using certain user names and passwords, to other computers that are on the same subnet (e.g. 192.168.0.10, 192.168.0.11, 192.168.0.12 and so on). If the worm successfully connects to the target host, the worm spreads to that computer.



Payload

Multiple payloads

If Worm:Win32/Morto.J is running as a service, or within the context of the "rundll32.exe" process, it attempts to read payload instructions that are stored in the network path "\\TsClient\A\Moto". Win32/Morto then compares the data stored there to data stored in the registry in subkey "HKLM\SYSTEM\Wpa\a".

If the data is identical, it executes the Morto payload, which may be to terminate processes or perform denial of service (DoS) attacks.

Additional information

For more information about Worm:Win32/Morto.gen!A, see our description elsewhere in the encyclopedia.





Analysis by Hyun Choi

Last update 12 May 2012

 

TOP