“There is no delight in owning anything unshared.”

Cyberattacks August 2011 – Morto Worms Spreading via RDP

A new worm has been reported by F-Secure Lab. The malware is called Morto, and consists of several components which include an executable dropper and a DLL that delivers the payload.

After executing the malware on a local system, the worm starts searching on the infected computer’s subnet and attempts to connect to located systems via the Remote Desktop Protocol Port 3389 (RDP).

Infected machines will be try to compromise administrator passwords for Remote Desktop connections by using a list of most common passwords, such as admin, password, server , test etc. Once it logs into system, it copies clb.dll to a.dll to the machine and creates a .reg file in the directory.

Creating the .reg file is intended to modify the registry and ensure that rundll32.exe runs with Administrator privileges so the malware’s DLL and clb.dll do too. The payload will then be delivered to other hosts on internet allowing it to download additional information and to update its components to receive new instructions.

Morto is detected as Backdoor:W32/Morto.A and Worm:W32/Morto.B by F-Secure.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s