Skip to main content
Skip to main content
Microsoft Security Intelligence
Published Oct 25, 2011 | Updated Sep 15, 2017


Detected by Microsoft Defender Antivirus

Aliases: No associated aliases


Worm:Win32/Morto.D is malware that loads, decrypts, and executes the main Morto payload.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Note: Users affected by this worm may be prompted to reboot their computers as part of the cleaning process, and then prompted to run a full scan after rebooting.

For more information on antivirus software, see

Additional information for Enterprise users

In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.

To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.

To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:

  • Ensuring there are rules around password complexity, so that passwords meet basic strong password requirements, such as minimum length (long passwords are usually stronger than short ones)
  • Ensuring passwords are not used for extended periods of time; consider setting an expiry every 30 to 90 days. You might also consider enforcing password history, so that users can not re-use the same password within a pre-defined time frame
  • Ensuring passwords contain a combination of:
    • Uppercase letters
    • Lowercase letters
    • Numerals, and
    • Symbols

For general information about password best practices, please see the following articles:

To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.

Follow us