Morto Computer Worm Spreading via RDP

Monday, August 29, 2011



A new worm has been reported by F-Secure Lab. The malware is called Morto, and consists of several components which include an executable dropper and a DLL that delivers the payload.

After executing the malware on a local system, the worm starts searching on the infected computer’s subnet and attempts to connect to located systems via the Remote Desktop Protocol Port 3389 (RDP).

"We don't see that many internet worms these days. It's mostly just bots and trojans. But we just found a new internet worm, and it's spreading in the wild," said F-Secure.

"It uses a new spreading vector that we haven't seen before: RDP."


Infected machines will be try to compromise administrator passwords for Remote Desktop connections by using a list of most common passwords, such as admin, password, server , test etc. 

Once it logs into system, it copies clb.dll to a.dll to the machine and creates a .reg file in the directory.

Creating the .reg file is intended to modify the registry and ensure that rundll32.exe runs with Administrator privileges so the malware’s DLL and clb.dll do too. 

The payload will then be delivered to other hosts on internet allowing it to download additional information and to update its components to receive new instructions.

What is interesting is that Morto will start to stop some security processes that are related to popular antivirus services such as AvastSvc, AVguard, AVGWDSVC, AVP, and more.

Morto is detected as Backdoor:W32/Morto.A and Worm:W32/Morto.B by F-Secure.


Possibly Related Articles:
Viruses & Malware
Information Security
Antivirus malware Headlines DLL Injection Payloads F-Secure Morto Worm Remote Desktop Protocol
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.