Security home


Home / malwarePDF  


First posted on 09 June 2012.
Source: Microsoft

Aliases :

Worm:JS/Morph.A is also known as JS/Morpheus.A.1 (Avira), JS.Worm.Phremous.A (BitDefender), JS/AutoRun.NAE (ESET), Worm.JS.Morph (Ikarus), Trojan-Downloader.JS.Agent.gqi (Kaspersky), HTA/ (McAfee), Troj/Agent-WCZ (Sophos), JS.Phremous (Symantec).

Explanation :

Worm:JS/Morph.A is a worm that spreads to all disk drives, including removable drives and network shares, as a file named "M0rPheS.tpl". This worm could download other malware to your infected computer.


This worm could copy itself to your computer if you accessed an infected drive and opened shortcut links that appear as folders to view the drive contents. When run, Morph creates hidden folders on your computer, as in the following:

  • %USERPROFILE%\m0rpheus
  • %USERPROFILE% \msn

Note: %USERPROFILE% is a user profile folder specific to the logon account name and varies from Windows XP to Vista and beyond, as in the following typical Windows installation:
Windows XP - C:\Documents and Settings\<user name>
Windows Vista above - C:\Users\<user name>

Morph drops a copy of the worm as a file named "M0rPheuS.tpl" into various folders of your computer, as in the following:

  • %USERPROFILE%\m0rpheus\M0rPheuS.tpl
  • %USERPROFILE%\Desktop\M0rPheuS.tpl
  • %USERPROFILE%\Start Menu\M0rPheuS.tpl
  • %USERPROFILE%\My Documents\M0rPheuS.tpl
  • %USERPROFILE%\Start Menu\Programs\M0rPheuS.tpl
  • %USERPROFILE%\Start Menu\Programas\M0rPheuS.tpl

The worm then hides the following folders:

  • %USERPROFILE%\Desktop
  • %USERPROFILE%\Start Menu
  • %USERPROFILE%\My Documents
  • %USERPROFILE%\Start Menu\Programs
  • %USERPROFILE%\Start Menu\Programas

Morph then creates shortcut links by the same name as the hidden folders, and uses a file folder icon. When you hover the mouse over the shortcut, the words "Carpeta de archivo" are displayed:

If you double-click the above shortcut, it runs the worm and opens the "Program Files" folder. The shortcut is detected as Worm:JS/Morph.A!lnk.

Spreads via...

All drives

The worm copies itself across all accessible drives, including removable drives and network shares as the file "M0rPheuS.tpl". The worm hides folders found on the target drive, and creates shortcut links that have the same name as the hidden file folders. Opening the shortcut runs the worm and opens the hidden file folder.


Downloads other threats

Worm:JS/Morph.A attempts to download other malware to the folder %USERPROFILE%\msn (e.g. C:\Users\<user name>\msn):

  • update_m0rpheus.js - downloaded from the IP address and detected as TrojanDownloader:JS/Morph.C
  • msnmsgr.tpl - detected as Worm:JS/Morph.C
  • m2012_04.exe - detected as TrojanSpy:Win32/Spyeks.B
  • - detected as TrojanSpy:Win32/Spyeks.B
  • a.txt - detected as Worm:Win32/Autorun!inf
  • d.tpl - detected as TrojanDownloader:JS/Adodb
  • Informacion Importante.lnk - detected as TrojanDownloader:BAT/Lnkget.AU
  • mailpv.exe - detected as HackTool:Win32/Mailpassview
  • - detected as HackTool:Win32/Mailpassview
  • Mejores Amigos.lnk - detected as TrojanDownloader:BAT/Lnkget.AU

Terminates processes

If Worm:JS/Morph.C is downloaded and run by TrojanDownloader:JS/Morph.C, it attempts to terminate processes matching the following file names:

  • avgnt.exe - Avira Internet Security
  • avguard.exe - Avira Internet Security
  • avshadow.exe - Avira Internet Security
  • chrome.exe - Google Chrome web browser
  • firefox.exe - Mozilla Firefox web browser
  • GoogleUpdate.exe - software update program for Google applications
  • msnmsgr.exe - Windows Live Messenger
  • GoogleCrashHandler.exe - program that sends crash details and other data to Google for products such as Google Chrome

Creates a new user account

Worm:JS/Morph.C attempts to add a user named "M0rpheus" with password "M0rpheusHacker". Morph then adds the user to the local "Administradores" and "Administrators" groups, which gives the account administrator privileges.

Additional information

Although Worm:JS/Morph can spread to English-based Windows systems, it was written with Spanish Windows in mind, as evident by references to the worm shortcut as "Carpeta de archivo" (archive file folder). Also, one of the scripts attemtps to use the icon for Windows Live Messenger from the following static folder location:

C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe

Additionally, the IP address is located in Mexico.

Analysis by Wei Li

Last update 09 June 2012



Malware :