Worm:Win32/Morto.A

a1234567mdy 发表于 2011-12-23 03:07

<a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A" target="_blank">http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A</a> 
<div class="wrapLongText" id="contentTitle" style="overflow: hidden; width: 910px;">Worm:Win32/Morto.A
<a id="ctl00_ctl00_pageContent_contentTop_ctl00_contenttop_hlNaming" title="Learn more about how the MMPC names malware" href="../../Shared/Help.aspx#malware_naming" target="_self">(?)</a> </div> 
<div class="contentText" style="width: 910px;">Encyclopedia
entry Updated: Sep 01, 2011  |  Published: Aug 28, 2011
 Aliases 
<ul class="notranslate" style="padding: 0px; margin: 0px; list-style-type: none;"><li>Trojan
horse Generic24.OJQ (AVG)

</li><li>Trojan.DownLoader4.48720
(Dr.Web)

</li><li>Win-Trojan/Helpagent.7184
(AhnLab)

</li><li>Troj/Agent-TEE
(Sophos)

</li><li>Backdoor:Win32/Morto.A
(Microsoft)
</li></ul> Alert Level <a id="ctl00_ctl00_pageContent_contentTop_ctl00_contenttop_hlAlertLevel" title="Learn more about the MMPC Alert Levels" href="../../Shared/Help.aspx#alert_level" target="_self">(?)</a> Severe
 Antimalware protection
details Microsoft recommends that you
download the <a id="ctl00_ctl00_pageContent_contentTop_ctl00_contenttop_latestDef" href="../../Definitions/ADL.aspx">latest definitions</a> to get protected.
<div class="leftmarg">
<table>
<tbody>
<tr>
<td>Detection last updated: Definition: 1.111.1134.0 Released: Aug 31,
2011 </td>
<td style="width: 50px;"> </td>
<td>Detection initially created: Definition: 1.111.868.0 Released: Aug
27, 2011 </td></tr></tbody></table></div></div>
<div> 

On this page
<div class="sectionpadding"><a href="#summary_link" target="_blank">Summary</a>|<a href="#symptoms_link" target="_blank">Symptoms</a>|<a href="#techdetails_link" target="_blank">Technical
Information</a>|<a href="#prevention_link" target="_blank">Prevention</a>|<a href="#recovery_link" target="_blank">Recovery</a> </div> </div>
<div class="wrapLongText" id="EntryContentDetails">

 <a name="summary_link"> </a>
Summary
<div class="detailSectionPadding contentText">
<div align="left">Worm:Win32/Morto.A is a worm
that allows unauthorized access to an affected computer. It spreads by trying to
compromise administrator passwords for Remote
Desktop connections on a network.</div>
<div align="left">
<div align="left">
Additional information for Enterprise
users
In the wild, we have observed this
threat infecting computers by targeting accounts that have 'weak' passwords.
To help prevent infection, and
consequent re-infection, we recommend making sure that your organization uses <a href="http://www.microsoft.com/en-au/security/online-privacy/passwords-create.aspx" target="_blank">strong
passwords</a> for system and user accounts, and verifying that you do not use
passwords like those being used by the malware in order to spread.
Changing your password will significantly decrease your chance of
re-infection.
To thwart this and similar threats, it
helps to adhere to best password practices, defined and enforced by appropriate
policies. Good polices include, but are not limited to:
<ul><li>Ensuring there are rules around password complexity, so that passwords meet
basic strong password requirements, such as minimum length (long passwords are
usually stronger than short ones)
</li><li>Ensuring passwords are not used for extended periods of time; consider
setting an expiry every 30 to 90 days. You might also consider enforcing
password history, so that users can not re-use the same password within a
pre-defined time frame
</li><li>Ensuring passwords contain a combination of:
<ul><li>Uppercase letters
</li><li>Lowercase letters
</li><li>Numerals, and
</li><li>Symbols </li></ul></li></ul>
For general information about password
best practices, please see the following articles:
<ul><li><a href="http://technet.microsoft.com/en-us/library/cc784090%28WS.10%29.aspx" target="_blank">http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx</a>

</li><li><a href="http://technet.microsoft.com/en-us/library/cc756109%28WS.10%29.aspx" target="_blank">http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx</a>
</li></ul>
To help prevent re-infection after
cleaning, you may also want to consider changing the password for every account
on the network, for every user in your environment.</div></div></div>
<div class="contentText pagetaglink"> <a href="#top" target="_blank">Top</a></div>

 <a name="symptoms_link"> </a>
Symptoms
<div class="detailSectionPadding contentText">
<div>
System changes
The following system changes may
indicate the presence of this malware:
<ul><li>The presence of the following files: %Windows%\clb.dll %Windows%\clb.dll.bak %windows%\temp\ntshrui.dll <system
folder>\sens32.dll c:\windows\offline web pages\cache.txt 
</li><li>The presence of the following registry modifications: 
In subkey: HKLM\SYSTEM\Wpa Sets value: it Sets value: id Sets value: sn Sets value: ie Sets value: md Sets value: sr
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows Sets
value: "NoPopUpsOnBoot" With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters Sets
value: "ServiceDll" With data: "%windir%\temp\ntshrui.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4 Sets
value: "Description" With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens Sets
value: "DependOnService" With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters Sets
value: "ServiceDll" With data: "<system
folder>\sens32.dll"</li></ul></div></div>
<div class="contentText pagetaglink"> <a href="#top" target="_blank">Top</a></div>

 <a name="techdetails_link"> </a>
Technical Information (Analysis)
<div class="detailSectionPadding contentText">
<div>
Worm:Win32/Morto.A is a worm that allows unauthorized
access to an affected computer. It spreads by trying to compromise administrator
passwords for Remote Desktop connections on a
network.
InstallationThe malware consists
of several components, including an executable dropper component (the
installer), and a DLL component which performs
the payload. When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll, as well asc:\windows\offline web pages\cache.txt. If updated by
the malware, backups are created as clb.dll.bak.The executable component also writes
encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits. The name clb.dll is chosen because this
is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once
regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which
Windows searches for files (i.e. the Windows directory is searched before the System directory). This DLL
has encrypted configuration information appended to it in order to
download and execute new components.
The following files are also created by
the malware:
<ul><li>%windows%\temp\ntshrui.dll
</li><li><system
folder>\sens32.dll
</li><li>c:\windows\offline web
pages\cache.txt - detected as Worm:Win32/Morto.A</li></ul>
The following registry modifications are
made to load the DLLs as services upon system
boot:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters Sets
value: "ServiceDll" With data: "%windir%\temp\ntshrui.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4 Sets
value: "Description" With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens Sets
value: "DependOnService" With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters Sets
value: "ServiceDll" With data: "<system
folder>\sens32.dll"
Initially, these files are clean and
benign DLLs. They are used to load clb.dll in the same way as
regedit. They may be replaced later on with
malicious components which are downloaded to:
<ul><li>c:\windows\offline web
pages\cache.txt</li></ul>
and replace sens32.dll via a value in the following registry
subkey:
<ul><li>HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations</li></ul>
Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read
by clb.dll, loaded and
executed. This contains the worm functionality (see below for additional
detail).
Spreads via…
Compromising Remote Desktop connections on a network: Port 3389
(RDP)
Worm:Win32/Morto.gen!A cycles through IP addresses on the affected computer's subnet and
attempts to connect to located systems using the following user names:
1 actuser adm admin admin2 administrator aspnet backup computer console david guest john owner root server sql support support_388945a0 sys test2 test3 user user1 user5
with the following
passwords: *1234 0 111 123 369 1111 12345 111111 123123 123321 123456 168168 520520 654321 666666 888888 1234567 12345678 123456789 1234567890 !@#$%^ %u% %u%12 1234qwer 1q2w3e 1qaz2wsx aaa abc123 abcd1234 admin admin123 letmein pass password server test user
If the worm is successful at logging
into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is
temporarily mapped to A: (both of which are
remotely executed on the remote system by way of the \\tsclient\a share). The file r.reg,
contains the following:
 "ConsentPromptBehaviorAdmin"=dword:0 "EnableLUA"=dword:0 [HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Layers] "c:\\windows\\system32\\rundll32.exe"="RUNASADMIN" "d:\\windows\\system32\\rundll32.exe"="RUNASADMIN" "e:\\windows\\system32\\rundll32.exe"="RUNASADMIN" "f:\\windows\\system32\\rundll32.exe"="RUNASADMIN" "g:\\windows\\system32\\rundll32.exe"="RUNASADMIN" "h:\\windows\\system32\\rundll32.exe"="RUNASADMIN" "i:\\windows\\system32\\rundll32.exe"="RUNASADMIN" "c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN" "d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN" "e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN" "f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN" "g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN" "h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN" "i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN" "c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN" "c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN" "c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN" "c:\\win7\\system32\\rundll32.exe"="RUNASADMIN" "c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN" The
intention of importing this reg file appears to be to modify the registry to
ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's
DLL, clb.dll does too.
Payload
Contacts remote
host
Worm:Win32/Morto.A connects to the following hosts in
order to download additional information and update its components:
210.3.38.82 jifr.info jifr.co.cc jifr.co.be jifr.net qfsl.net qfsl.co.cc qfsl.co.be Newly downloaded components are
downloaded to a filename that uses the following format:
~MTMP<4 digits 0-f>.exe Performs
Denial of Service attacks
Morto may
be ordered to perform <a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Glossary.aspx#dos" target="_blank">Denial
of Service </a>attacks against attacker-specified targets.
 Terminates processes
Morto.A
terminates processes that contain the following strings. The selected strings
indicate that the worm is attempting to stop processes related to popular
security-related applications. ACAAS 360rp a2service ArcaConfSV AvastSvc avguard avgwdsvc avp avpmapp ccSvcHst cmdagent coreServiceShell ekrn FortiScand FPAVServer freshclam fsdfwd GDFwSvc K7RTScan knsdave KVSrvXP kxescore mcshield MPSvc MsMpEng NSESVC.EXE PavFnSvr RavMonD SavService scanwscs SpySweeper Vba32Ldr vsserv zhudongfangyu
Clears system event
log
Worm:Win32/Morto deletes system event
logs categorized in the following:
<ul><li>Application
</li><li>Security
</li><li>System</li></ul>
Additional information
Morto
stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry
values:
HKLM\SYSTEM\Wpa\it HKLM\SYSTEM\Wpa\id HKLM\SYSTEM\Wpa\sn HKLM\SYSTEM\Wpa\ie HKLM\SYSTEM\Wpa\md HKLM\SYSTEM\Wpa\sr
It also makes the following registry
modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows Sets
value: "NoPopUpsOnBoot" With data: "1"
 Analysis by Matt McCormack</div></div>
<div class="contentText pagetaglink"> <a href="#top" target="_blank">Top</a></div>

 <a name="prevention_link"> </a>
Prevention
<div class="detailSectionPadding contentText">
<div>
Follow these general security tips to
better protect your system:
<ul style="margin-top: 0px; margin-bottom: 0px;" type="disc"><li>Enable a firewall on your computer.
</li><li>Get the latest computer updates.
</li><li>Limit user privileges on the computer.
</li><li>Run an up-to-date scanning and removal tool.
</li><li>Use caution with attachments and file transfers.
</li><li>Use caution when clicking on links to webpages.
</li><li>Avoid downloading pirated software.
</li><li>Protect yourself against social engineering attacks.
</li><li>Use strong passwords. </li></ul>
Enable a firewall on your computer
Use a third-party firewall product or
turn on the Microsoft Windows Internet Connection
Firewall.
<ul style="margin-top: 0px; margin-bottom: 0px;" type="disc"><li><a href="http://windows.microsoft.com/en-US/windows7/Turn-Windows-Firewall-on-or-off" target="_blank">How
to turn on the Windows Firewall in Windows 7</a> 
</li><li><a href="http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-Firewall-on-or-off" target="_blank">How
to turn on the Windows Firewall in Windows Vista</a> 
</li><li><a href="http://support.microsoft.com/kb/283673" target="_blank">How
to turn on the Windows firewall in Windows XP</a> </li></ul>
Get the latest computer updates
Updates help protect your computer from
viruses, worms, and other threats as they are discovered. It is important to
install updates for all the software that is installed in your computer. These
are usually available from vendor websites.Instructions on how to download the
latest versions of some common software is available from the following:
<ul><li><a href="http://www.microsoft.com/security/portal/Shared/SWUpdates.aspx" target="_blank">Microsoft
Malware Protection Center - Updating Software</a> </li></ul>
You can use the Automatic Updates
feature in Windows to automatically download
future Microsoft security updates while your
computer is on and connected to the Internet.
<ul style="margin-top: 0px; margin-bottom: 0px;" type="disc"><li><a href="http://windows.microsoft.com/en-us/windows7/Turn-automatic-updating-on-or-off" target="_blank">How
to turn on Automatic Updates in Windows 7</a> 
</li><li><a href="http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off" target="_blank">How
to turn on Automatic Updates in Windows Vista</a> 
</li><li><a href="http://www.microsoft.com/windows/downloads/windowsupdate/learn/windowsxp.mspx" target="_blank">How
to turn on Automatic Updates in Windows XP</a> </li></ul>
Limit user privileges on the
computer
Starting with Windows Vista and Windows
7, Microsoft introduced User Account Control (UAC), which, when enabled,
allowed users to run with least user privileges. This scenario limits the
possibility of attacks by malware and other threats that require administrative
privileges to run.
You can configure UAC in your computer to meet your preferences:
<ul style="margin-top: 0px; margin-bottom: 0px;" type="disc"><li><a href="http://www.microsoft.com/windows/windows-7/features/user-account-control.aspx" target="_blank">User
Account Control in Windows 7</a> 
</li><li><a href="http://www.microsoft.com/windows/windows-vista/features/user-account-control.aspx" target="_blank">User
Account Control in Windows Vista</a> 
</li><li><a href="http://technet.microsoft.com/en-us/library/bb456992.aspx" target="_blank">Applying the
Principle of Least Privilege in Windows XP</a> 
</li><li><a href="http://msdn.microsoft.com/en-us/library/aa511445.aspx" target="_blank">More on User
Account Control</a> </li></ul>
Run an up-to-date scanning and removal
tool
Most scanning and removal software can
detect and prevent the installation of known malicious software and potentially
unwanted software such as adware or spyware. You should frequently run a
scanning and removal tool that is updated with the latest signature files. For
more information, see <a href="http://www.microsoft.com/protect/computer/viruses/vista.mspx" target="_blank">http://www.microsoft.com/protect/computer/viruses/vista.mspx</a>.
Use caution with attachments and file
transfers
Exercise caution with e-mail and
attachments received from unknown sources, or received unexpectedly from known
sources. Use extreme caution when accepting file transfers from known or unknown
sources.
Use caution when clicking on links to
webpages
Exercise caution with links to webpages
that you receive from unknown sources, especially if the links are to a webpage
that you are not familiar with or are suspicious of. Malicious software may be
installed in your system simply by visiting a webpage with harmful content.
Avoid downloading pirated software
Threats may also be bundled with
software and files that are available for download on various torrent sites.
Downloading "cracked" or "pirated" software from these sites carries not only the
risk of being infected with malware, but is also illegal. For more information,
please see our article '<a href="http://www.microsoft.com/protect/promotions/us/wga_idc_us.mspx" target="_blank">The risks
of obtaining and using pirated software</a>'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit
vulnerabilities in hardware or software in order to compromise a system, they
also attempt to exploit vulnerabilities in human behavior in order to do the
same. When an attacker attempts to take advantage of human behavior in order to
persuade the affected user to perform an action of the attacker's choice, it is
known as 'social engineering'. Essentially,
social engineering is an attack against the human interface of the targeted
system. For more information, please see our article '<a href="http://www.microsoft.com/protect/yourself/phishing/engineering.mspx" target="_blank">What
is social engineering?</a>'.
Use strong passwords
Attackers may try to gain access to your
Windows account by guessing your password. It is
therefore important that you use a strong password – one that cannot be easily
guessed by an attacker. A strong password is one that has at least eight
characters, and combines letters, numbers, and symbols. For more information,
see <a href="http://www.microsoft.com/protect/yourself/password/create.mspx" target="_blank">http://www.microsoft.com/protect/yourself/password/create.mspx</a>.</div></div>
<div class="contentText pagetaglink"> <a href="#top" target="_blank">Top</a></div>

 <a name="recovery_link"> </a>
Recovery
<div class="detailSectionPadding contentText">
<div>
To detect and remove this
threat and other malicious software that may be installed on your computer, run
a full-system scan with an appropriate, up-to-date, security solution. The
following Microsoft products detect and remove
this threat:
<ul style="margin-top: 0px; margin-bottom: 0px;"><li><a href="http://www.microsoft.com/security_essentials/" target="_blank">Microsoft Security
Essentials</a> 
</li><li><a href="http://www.microsoft.com/security/scanner/" target="_blank">Microsoft Safety Scanner</a>
</li></ul>
Note: Users affected by
this worm may be prompted to reboot their computers as part of the cleaning
process, and then prompted to run a full scan after rebooting.
For more information on antivirus
software, see <a href="http://www.microsoft.com/windows/antivirus-partners/" target="_blank">http://www.microsoft.com/windows/antivirus-partners/</a>.
<div align="left">
Additional information for Enterprise
users
In the wild, we have observed this
threat infecting computers by targeting accounts that have 'weak' passwords.
To help prevent infection, and
consequent re-infection, we recommend making sure that your organization uses <a href="http://www.microsoft.com/en-au/security/online-privacy/passwords-create.aspx" target="_blank">strong
passwords</a> for system and user accounts, and verifying that you do not use
passwords like those being used by the malware in order to spread.
Changing your password will significantly decrease your chance of
re-infection.
To thwart this and similar threats, it
helps to adhere to best password practices, defined and enforced by appropriate
policies. Good polices include, but are not limited to:
<ul><li>Ensuring there are rules around password complexity, so that passwords meet
basic strong password requirements, such as minimum length (long passwords are
usually stronger than short ones)
</li><li>Ensuring passwords are not used for extended periods of time; consider
setting an expiry every 30 to 90 days. You might also consider enforcing
password history, so that users can not re-use the same password within a
pre-defined time frame
</li><li>Ensuring passwords contain a combination of:
<ul><li>Uppercase letters
</li><li>Lowercase letters
</li><li>Numerals, and
</li><li>Symbols </li></ul></li></ul>
For general information about password
best practices, please see the following articles:
<ul><li><a href="http://technet.microsoft.com/en-us/library/cc784090%28WS.10%29.aspx" target="_blank">http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx</a>

</li><li><a href="http://technet.microsoft.com/en-us/library/cc756109%28WS.10%29.aspx" target="_blank">http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx</a>
</li></ul>
To help prevent re-infection after
cleaning, you may also want to consider changing the password for every account
on the network, for every user in your environment.</div></div></div>
<div class="contentText pagetaglink"> <a href="#top" target="_blank">Top</a></div></div>

页: [1]

Chinaunix's Archiver

Worm:Win32/Morto.A