Worm:Win32/Morto.A is a worm that allows unauthorized
access to an affected computer. It spreads by trying to compromise administrator
passwords for Remote Desktop connections on a
network.
InstallationThe malware consists
of several components, including an executable dropper component (the
installer), and a
DLL component which performs
the payload.
When the dropper is executed, the
DLL component is installed to the
Windows directory as
clb.dll, as well as
c:\windows\offline web pages\cache.txt. If updated by
the malware, backups are created as
clb.dll.bak.The executable component also writes
encrypted code to the registry key
HKLM\SYSTEM\WPA\md and exits.
The name
clb.dll is chosen because this
is the name of a real
DLL (located in the
System directory), which is used by
regedit. To load this malware
DLL, a regedit process is spawned by the malware. Once
regedit is executed, it loads the malicious
clb.dll preferentially over the real
clb.dll due to the way in which
Windows searches for files (i.e. the
Windows directory is searched before the
System directory). This
DLL
has encrypted configuration information appended to it in order to
download and execute new components.
The following files are also created by
the malware:
- %windows%\temp\ntshrui.dll
- <system
folder>\sens32.dll
- c:\windows\offline web
pages\cache.txt - detected as Worm:Win32/Morto.A
The following registry modifications are
made to load the DLLs as services upon system
boot:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets
value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets
value: "Description"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets
value: "DependOnService"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets
value: "ServiceDll"
With data: "<system
folder>\sens32.dll"
Initially, these files are clean and
benign DLLs. They are used to load clb.dll in the same way as
regedit. They may be replaced later on with
malicious components which are downloaded to:
- c:\windows\offline web
pages\cache.txt
and replace sens32.dll via a value in the following registry
subkey:
- HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations
Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read
by clb.dll, loaded and
executed. This contains the worm functionality (see below for additional
detail).
Spreads via…
Compromising Remote Desktop connections on a network: Port 3389
(RDP)
Worm:Win32/Morto.gen!A cycles through IP addresses on the affected computer's subnet and
attempts to connect to located systems using the following user names:
1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5
with the following
passwords:
*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user
If the worm is successful at logging
into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is
temporarily mapped to A: (both of which are
remotely executed on the remote system by way of the \\tsclient\a share).
The file r.reg,
contains the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"EnableLUA"=dword:0
[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"
The
intention of importing this reg file appears to be to modify the registry to
ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's
DLL, clb.dll does too.
Payload
Contacts remote
host
Worm:Win32/Morto.A connects to the following hosts in
order to download additional information and update its components:
210.3.38.82
jifr.info
jifr.co.cc
jifr.co.be
jifr.net
qfsl.net
qfsl.co.cc
qfsl.co.be
Newly downloaded components are
downloaded to a filename that uses the following format:
~MTMP<4 digits 0-f>.exe
Performs
Denial of Service attacks
Morto may
be ordered to perform Denial
of Service attacks against attacker-specified targets.
Terminates processes
Morto.A
terminates processes that contain the following strings. The selected strings
indicate that the worm is attempting to stop processes related to popular
security-related applications.
ACAAS
360rp
a2service
ArcaConfSV
AvastSvc
avguard
avgwdsvc
avp
avpmapp
ccSvcHst
cmdagent
coreServiceShell
ekrn
FortiScand
FPAVServer
freshclam
fsdfwd
GDFwSvc
K7RTScan
knsdave
KVSrvXP
kxescore
mcshield
MPSvc
MsMpEng
NSESVC.EXE
PavFnSvr
RavMonD
SavService
scanwscs
SpySweeper
Vba32Ldr
vsserv
zhudongfangyu
Clears system event
log
Worm:Win32/Morto deletes system event
logs categorized in the following:
- Application
- Security
- System
Additional information
Morto
stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry
values:
HKLM\SYSTEM\Wpa\it
HKLM\SYSTEM\Wpa\id
HKLM\SYSTEM\Wpa\sn
HKLM\SYSTEM\Wpa\ie
HKLM\SYSTEM\Wpa\md
HKLM\SYSTEM\Wpa\sr
It also makes the following registry
modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets
value: "NoPopUpsOnBoot"
With data: "1"
Analysis by Matt McCormack