Follow:

 

Worm:Win32/Morto.A


Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.
Additional information for Enterprise users

In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.

To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.

To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:

  • Ensuring there are rules around password complexity, so that passwords meet basic strong password requirements, such as minimum length (long passwords are usually stronger than short ones)
  • Ensuring passwords are not used for extended periods of time; consider setting an expiry every 30 to 90 days. You might also consider enforcing password history, so that users can not re-use the same password within a pre-defined time frame
  • Ensuring passwords contain a combination of:
    • Uppercase letters
    • Lowercase letters
    • Numerals, and
    • Symbols

For general information about password best practices, please see the following articles:

To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Note: Users affected by this worm may be prompted to reboot their computers as part of the cleaning process, and then prompted to run a full scan after rebooting.

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Additional information for Enterprise users

In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.

To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.

To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:

  • Ensuring there are rules around password complexity, so that passwords meet basic strong password requirements, such as minimum length (long passwords are usually stronger than short ones)
  • Ensuring passwords are not used for extended periods of time; consider setting an expiry every 30 to 90 days. You might also consider enforcing password history, so that users can not re-use the same password within a pre-defined time frame
  • Ensuring passwords contain a combination of:
    • Uppercase letters
    • Lowercase letters
    • Numerals, and
    • Symbols

For general information about password best practices, please see the following articles:

To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.

Threat behavior

Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.

Installation
The malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.

When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll, as well asc:\windows\offline web pages\cache.txt. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.

The name clb.dll is chosen because this is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This DLL has encrypted configuration information appended to it in order to download and execute new components.

The following files are also created by the malware:

  • %windows%\temp\ntshrui.dll
  • <system folder>\sens32.dll
  • c:\windows\offline web pages\cache.txt - detected as Worm:Win32/Morto.A

The following registry modifications are made to load the DLLs as services upon system boot:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: "Description"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets value: "DependOnService"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\sens32.dll"

Initially, these files are clean and benign DLLs. They are used to load clb.dll in the same way as regedit. They may be replaced later on with malicious components which are downloaded to:

  • c:\windows\offline web pages\cache.txt

and replace sens32.dll via a value in the following registry subkey:

  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read by clb.dll, loaded and executed. This contains the worm functionality (see below for additional detail).

Spreads via…

Compromising Remote Desktop connections on a network: Port 3389 (RDP)

Worm:Win32/Morto.gen!A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems using the following user names:

1
actuser

adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5

with the following passwords:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

If the worm is successful at logging into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is temporarily mapped to A: (both of which are remotely executed on the remote system by way of the \\tsclient\a share).

The file r.reg, contains the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"EnableLUA"=dword:0

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"

The intention of importing this reg file appears to be to modify the registry to ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's DLL, clb.dll does too.

Payload

Contacts remote host

Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:

210.3.38.82
jifr.info
jifr.co.cc
jifr.co.be
jifr.net

qfsl.net
qfsl.co.cc
qfsl.co.be

Newly downloaded components are downloaded to a filename that uses the following format:

~MTMP<4 digits 0-f>.exe

Performs Denial of Service attacks

Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.

Terminates processes

Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

ACAAS
360rp
a2service
ArcaConfSV
AvastSvc
avguard
avgwdsvc
avp
avpmapp
ccSvcHst
cmdagent
coreServiceShell
ekrn
FortiScand
FPAVServer
freshclam
fsdfwd
GDFwSvc
K7RTScan
knsdave
KVSrvXP
kxescore
mcshield
MPSvc
MsMpEng
NSESVC.EXE
PavFnSvr
RavMonD
SavService
scanwscs
SpySweeper
Vba32Ldr
vsserv
zhudongfangyu

Clears system event log

Worm:Win32/Morto deletes system event logs categorized in the following:

  • Application
  • Security
  • System
Additional information

Morto stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry values:

HKLM\SYSTEM\Wpa\it
HKLM\SYSTEM\Wpa\id
HKLM\SYSTEM\Wpa\sn
HKLM\SYSTEM\Wpa\ie
HKLM\SYSTEM\Wpa\md
HKLM\SYSTEM\Wpa\sr

It also makes the following registry modification:

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets value: "NoPopUpsOnBoot"
With data: "1"


Analysis by Matt McCormack


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    %Windows%\clb.dll
    %Windows%\clb.dll.bak
    %windows%\temp\ntshrui.dll
    <system folder>\sens32.dll
    c:\windows\offline web pages\cache.txt
  • The presence of the following registry modifications:

    In subkey: HKLM\SYSTEM\Wpa
    Sets value: it
    Sets value: id
    Sets value: sn
    Sets value: ie
    Sets value: md
    Sets value: sr

    In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
    Sets value: "NoPopUpsOnBoot"
    With data: "1"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
    Sets value: "ServiceDll"
    With data: "%windir%\temp\ntshrui.dll"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
    Sets value: "Description"
    With data: "0"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
    Sets value: "DependOnService"
    With data: "0"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
    Sets value: "ServiceDll"
    With data: "<system folder>\sens32.dll"


Prevention


Alert level: Severe
First detected by definition: 1.111.868.0
Latest detected by definition: 1.111.1134.0 and higher
First detected on: Aug 27, 2011
This entry was first published on: Aug 28, 2011
This entry was updated on: Sep 01, 2011

This threat is also detected as:
  • Trojan horse Generic24.OJQ (AVG)
  • Trojan.DownLoader4.48720 (Dr.Web)
  • Win-Trojan/Helpagent.7184 (AhnLab)
  • Troj/Agent-TEE (Sophos)
  • Backdoor:Win32/Morto.A (Microsoft)