Worm:Win32/Morto.A

a1234567mdy

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A

Worm:Win32/Morto.A (?)

Encyclopedia entry
Updated: Sep 01, 2011  |  Published: Aug 28, 2011

Aliases

• Trojan horse Generic24.OJQ (AVG)
• Trojan.DownLoader4.48720 (Dr.Web)
• Win-Trojan/Helpagent.7184 (AhnLab)
• Troj/Agent-TEE (Sophos)
• Backdoor:Win32/Morto.A (Microsoft)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated: Definition: 1.111.1134.0 Released: Aug 31, 2011

Detection initially created: Definition: 1.111.868.0 Released: Aug 27, 2011

On this page

Summary|Symptoms|Technical Information|Prevention|Recovery

  Summary

Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.

Additional information for Enterprise users

In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.

To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.

To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:

• Ensuring there are rules around password complexity, so that passwords meet basic strong password requirements, such as minimum length (long passwords are usually stronger than short ones)
• Ensuring passwords are not used for extended periods of time; consider setting an expiry every 30 to 90 days. You might also consider enforcing password history, so that users can not re-use the same password within a pre-defined time frame
• Ensuring passwords contain a combination of:
  • Uppercase letters
  • Lowercase letters
  • Numerals, and
  • Symbols

For general information about password best practices, please see the following articles:

• http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx
• http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx

To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.

Top

  Symptoms

System changes

The following system changes may indicate the presence of this malware:

• The presence of the following files:
  
  %Windows%\clb.dll
  %Windows%\clb.dll.bak
  %windows%\temp\ntshrui.dll
  <system folder>\sens32.dll
  c:\windows\offline web pages\cache.txt
  
• The presence of the following registry modifications:
  
  

  In subkey: HKLM\SYSTEM\Wpa
  Sets value: it
  Sets value: id
  Sets value: sn
  Sets value: ie
  Sets value: md
  Sets value: sr

  In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
  Sets value: "NoPopUpsOnBoot"
  With data: "1"

  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
  Sets value: "ServiceDll"
  With data: "%windir%\temp\ntshrui.dll"

  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
  Sets value: "Description"
  With data: "0"

  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
  Sets value: "DependOnService"
  With data: "0"

  In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
  Sets value: "ServiceDll"
  With data: "<system folder>\sens32.dll"

Top

  Technical Information (Analysis)

Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.

InstallationThe malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.

When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll, as well asc:\windows\offline web pages\cache.txt. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.

The name clb.dll is chosen because this is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This DLL has encrypted configuration information appended to it in order to download and execute new components.

The following files are also created by the malware:

• %windows%\temp\ntshrui.dll
• <system folder>\sens32.dll
• c:\windows\offline web pages\cache.txt - detected as Worm:Win32/Morto.A

The following registry modifications are made to load the DLLs as services upon system boot:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: "Description"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets value: "DependOnService"
With data: "0"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\sens32.dll"

Initially, these files are clean and benign DLLs. They are used to load clb.dll in the same way as regedit. They may be replaced later on with malicious components which are downloaded to:

• c:\windows\offline web pages\cache.txt

and replace sens32.dll via a value in the following registry subkey:

• HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read by clb.dll, loaded and executed. This contains the worm functionality (see below for additional detail).

Spreads via…

Compromising Remote Desktop connections on a network: Port 3389 (RDP)

Worm:Win32/Morto.gen!A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems using the following user names:

1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5

with the following passwords:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

If the worm is successful at logging into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is temporarily mapped to A: (both of which are remotely executed on the remote system by way of the \\tsclient\a share).

The file r.reg, contains the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"EnableLUA"=dword:0

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"

"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"

"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"

The intention of importing this reg file appears to be to modify the registry to ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's DLL, clb.dll does too.

Payload

Contacts remote host

Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:

210.3.38.82
jifr.info
jifr.co.cc
jifr.co.be
jifr.net
qfsl.net
qfsl.co.cc
qfsl.co.be

Newly downloaded components are downloaded to a filename that uses the following format:

~MTMP<4 digits 0-f>.exe

Performs Denial of Service attacks

Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.

Terminates processes

Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

ACAAS
360rp
a2service
ArcaConfSV
AvastSvc
avguard
avgwdsvc
avp
avpmapp
ccSvcHst
cmdagent
coreServiceShell
ekrn
FortiScand
FPAVServer
freshclam
fsdfwd
GDFwSvc
K7RTScan
knsdave
KVSrvXP
kxescore
mcshield
MPSvc
MsMpEng
NSESVC.EXE
PavFnSvr
RavMonD
SavService
scanwscs
SpySweeper
Vba32Ldr
vsserv
zhudongfangyu

Clears system event log

Worm:Win32/Morto deletes system event logs categorized in the following:

• Application
• Security
• System

Additional information

Morto stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry values:

HKLM\SYSTEM\Wpa\it
HKLM\SYSTEM\Wpa\id
HKLM\SYSTEM\Wpa\sn
HKLM\SYSTEM\Wpa\ie
HKLM\SYSTEM\Wpa\md
HKLM\SYSTEM\Wpa\sr

It also makes the following registry modification:

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets value: "NoPopUpsOnBoot"
With data: "1"

Analysis by Matt McCormack

Top

  Prevention

Follow these general security tips to better protect your system:

• Enable a firewall on your computer.
• Get the latest computer updates.
• Limit user privileges on the computer.
• Run an up-to-date scanning and removal tool.
• Use caution with attachments and file transfers.
• Use caution when clicking on links to webpages.
• Avoid downloading pirated software.
• Protect yourself against social engineering attacks.
• Use strong passwords.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

• How to turn on the Windows Firewall in Windows 7
• How to turn on the Windows Firewall in Windows Vista
• How to turn on the Windows firewall in Windows XP

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.Instructions on how to download the latest versions of some common software is available from the following:

• Microsoft Malware Protection Center - Updating Software

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

• How to turn on Automatic Updates in Windows 7
• How to turn on Automatic Updates in Windows Vista
• How to turn on Automatic Updates in Windows XP

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

You can configure UAC in your computer to meet your preferences:

• User Account Control in Windows 7
• User Account Control in Windows Vista
• Applying the Principle of Least Privilege in Windows XP
• More on User Account Control

Run an up-to-date scanning and removal tool

Most scanning and removal software can detect and prevent the installation of known malicious software and potentially unwanted software such as adware or spyware. You should frequently run a scanning and removal tool that is updated with the latest signature files. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Use caution with attachments and file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to webpages

Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a webpage with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, please see our article 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article 'What is social engineering?'.

Use strong passwords

Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see http://www.microsoft.com/protect/yourself/password/create.mspx.

Top

  Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials
• Microsoft Safety Scanner

Note: Users affected by this worm may be prompted to reboot their computers as part of the cleaning process, and then prompted to run a full scan after rebooting.

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Additional information for Enterprise users

In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.

To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.

To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:

• Ensuring there are rules around password complexity, so that passwords meet basic strong password requirements, such as minimum length (long passwords are usually stronger than short ones)
• Ensuring passwords are not used for extended periods of time; consider setting an expiry every 30 to 90 days. You might also consider enforcing password history, so that users can not re-use the same password within a pre-defined time frame
• Ensuring passwords contain a combination of:
  • Uppercase letters
  • Lowercase letters
  • Numerals, and
  • Symbols

For general information about password best practices, please see the following articles:

• http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx
• http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx

To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.

Top