The Latest in IT Security

W32.Morto.B – Morto Adds File Infection to its Arsenal

10
Jul
2012

W32.Morto first surfaced in August 2011 causing a stir when it targeted weak passwords on Remote Desktop Protocol Connections in order to propagate across networks. W32.Morto.B, the new variant, now has the ability to infect executable files on a compromised computer. Let’s take a look at the infected files in a bit more detail.

Figure 1. W32.Morto.B file infection schematics   Before infecting a file, W32.Morto.B will check for an infection marker. This is to ensure it doesn’t attempt multiple infections on the same file, a common check performed by file infecting threats. The marker it looks for is stored in the MZ header and can be seen in Figure 2 below:   Figure 2. W32.Morto.B file infection marker   If this marker is not present, it will proceed to insert the viral body into the last section of the file and update the attributes of this section so that it is run when the file is executed. As a final step it will modify the original entry point to point to the newly inserted viral code.  Once the infected file is executed, instead of executing the original code path – the inserted viral code will execute first. The entry point of the worm contains a small decryption routine, which decrypts the viral body and then executes it.  Once completed, the worm will return execution to the original entry point of the file and the original application will continue to execute as normal.   Figure 3. Code extract showing flow of execution from viral entry point   We are currently investigating this threat for any additional functionality and will be updating this blog as details become available. Ensure that your anti-virus is up to date to protect against this latest evolution of the Morto worm.  

Leave a reply


Categories

THURSDAY, DECEMBER 05, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments