is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.
The malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.
When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll, as well asc:\windows\offline web pages\cache.txt. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.
The name clb.dll is chosen because this is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This DLLhas encrypted configuration information appended to it in order to download and execute new components.
The following files are also created by the malware:
c:\windows\offline web pages\cache.txt - detected as Worm:Win32/Morto.A
The following registry modifications are made to load the DLLs as services upon system boot:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: "Description"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets value: "DependOnService"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\sens32.dll"
Initially, these files are clean and benign DLLs. They are used to load clb.dll in the same way as regedit. They may be replaced later on with malicious components which are downloaded to:
c:\windows\offline web pages\cache.txt
and replace sens32.dll via a value in the following registry subkey:
Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read by clb.dll, loaded and executed. This contains the worm functionality (see below for additional detail).
Compromising Remote Desktop connections on a network: Port 3389 (RDP)
cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems using the following usernames:
with the following passwords:
If the worm is successful at logging into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is temporarily mapped to A: (both of which are remotely executed on the remote system by way of the \\tsclient\a share).
The file r.reg, contains the following:
The intention of importing this reg file appears to be to modify the registry to ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's DLL, clb.dll does too.
Contacts remote host
connects to the following hosts in order to download additional information and update its components:
Newly downloaded components are downloaded to a filename that uses the following format:
~MTMP<4 digits 0-f>.exe
Performs Denial of Service attacks
Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.
Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.
Clears system event log
Worm:Win32/Morto deletes system event logs categorized in the following:
Morto stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry values:
It also makes the following registry modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets value: "NoPopUpsOnBoot"
With data: "1"
Analysis by Matt McCormack