Our Research Team came across a Worm file, which on execution wriggles its way through the systems using the RDP port. This Worm is known as Morto, spreading very quickly in the Wild. Morto, uses the RDP (Remote Desktop protocol) to connect the remote system and tries scanning the RDP port on the network. This creates a lot of traffic for port 3389/TCP, which is the RDP port.It has got a list of default passwords which it uses to enter into the system. The Morto worm spreads by logging into Remote Desktop servers.
On Execution it performs following activities:
It Drops below files:
C:\WINDOWS\Offline Web Pages\cache.txt — cache.txt is a PE file.
C:\WINDOWS\system32\Sens32.dll
It modifies below registry entries:
HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x00000006
HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x0000000A
HKLM\SYSTEM\ControlSet001\Services\SENS\DependOnService: ‘EventSystem’
HKLM\SYSTEM\ControlSet001\Services\SENS\DependOnService: 00
HKLM\SYSTEM\ControlSet001\Services\SENS\Group: “Network”
HKLM\SYSTEM\ControlSet001\Services\SENS\Group: “SchedulerGroup”
HKLM\SYSTEM\ControlSet001\Services\SENS\Parameters\ServiceDll: “%SystemRoot%\system32\sens.dll”
HKLM\SYSTEM\ControlSet001\Services\SENS\Parameters\ServiceDll: “C:\WINDOWS\system32\Sens32.dll”
It connects to the remote server: 210.3.38.82 and tries to download a file 160.rar file.
Quick Heal detects this infection as Worm.Morto.a and protect it’s users.
Thanks to Laxmikant N for analysis..
Leave a reply
