Cyberattacks August 2011 – Morto Worms Spreading via RDP
A new worm has been reported by F-Secure Lab. The malware is called Morto, and consists of several components which include an executable dropper and a DLL that delivers the payload.
After executing the malware on a local system, the worm starts searching on the infected computer’s subnet and attempts to connect to located systems via the Remote Desktop Protocol Port 3389 (RDP).
Infected machines will be try to compromise administrator passwords for Remote Desktop connections by using a list of most common passwords, such as admin, password, server , test etc. Once it logs into system, it copies clb.dll to a.dll to the machine and creates a .reg file in the directory.
Creating the .reg file is intended to modify the registry and ensure that rundll32.exe runs with Administrator privileges so the malware’s DLL and clb.dll do too. The payload will then be delivered to other hosts on internet allowing it to download additional information and to update its components to receive new instructions.
Morto is detected as Backdoor:W32/Morto.A and Worm:W32/Morto.B by F-Secure.