INCA Internet's Emergency Response Team's official blog.: [Warning] Microsoft Windows remote desktop worm "Morto" is spreading

12345

8/29/2011

[Warning] Microsoft Windows remote desktop worm "Morto" is spreading

1. Introduction

F-secure, one of security SW companies has reported a worm "Morto", which can be spread via remote desktop, on Aug 28, 2011.
Currently, this malicious worm can infect both Windows-based workstation and server. This has been reported generating a lot of network traffics through RDP(Remote Desktop Protocol) port.

* Windows Remote Desktop worm "Morto" spreading

http://www.f-secure.com/weblog/archives/00002227.html

2. Spreading path and symptoms of infection

This malicious worm can be spread through RDP, we mentioned above, and tries to access remote connection with using exposed or simply-combined administaration passwords. In this process, it can damage new system or can download additional malicious file and execute. Furthermore, it makes a lot of traffics on certain port (3389/TCP) on accessing network connection.

Once infected by "Morto", it will scan local network's RDP port for remote connection. And then, while victim computer is connected by remote system, remote PC will copy itself to victim's certain drive after file sharing function will be activated.

Following paths have been known as the destination of copied files.

C:\Windows\Temp\ntshrui.dll
C:\Windows\System32\Sens32.dll
C:\Windows\Offline Web Pages\Cache.txt

Generated "sens32.dll" file will be added registry value, and it will work on booting.

[HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters]
- Value name : "ServiceDll"
- Value data : "%windir%\temp\ntshrui.dll"

[HKLM\SYSTEM\CurrentControlSet\Services\6to4]
- Value name : "Description"
- Value data : "0"

[HKLM\SYSTEM\CurrentControlSet\Services\Sens]
- Value name : "DependOnService"
- Value data : "0"

[HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters]
- Value name : "ServiceDll"
- Value data : "%windir%\system32\sens32.dll"

Infected PC will be remain on subnet network, and tries to login other systems with using following general passwords.

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

3. How to prevent

To use PC safely from security threats of these malicious worms, we recommend following "Security management tips" for general users.

Security management tips

1. Maintains latest security patch on OS and applications.
2. Makes password complex on logging Windows.
3. Stops un-using sharing folder.
4. Uses personal or business firewall.
5. Sets normal or higher internet browser's security preference.
6. Uses Anti-Virus SW and keeps latest security patch.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Worm/W32.Morto.7184