Home / malwarePDF  

Virus:Win32/Morto.A


First posted on 11 July 2012.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Morto.A.

Explanation :



Virus:Win32/Morto.A is a virus that spreads by infecting executable files; it's a memory-resident file-infector that injects its infection routine into processes that are commonly running on your computer.



Installation

Virus:Win32/Morto.A creates the following mutex on your computer, to ensure that only one instance of the virus is running at a time:

"Global\_PPIftSvc"

If it determines that it is not already present on your computer, it will create a copy of itself as:

c:\windows\system32\wmicuclt.exe

The virus will also make the following changes to the registry for its malicious purposes, for example, to enable its spreading capabilities:

In subkey: HKLM\SYSTEM\Select
Sets value: "v"
Sets value: "pu"
Sets value: "plg"
Sets value: "ext"

Spreads via...

File infection

Virus:Win32/Morto.A searches for, and infects specific executable files that are stored in fixed and removable drives. Commonly, it will target files that are running regularly, such as:

  • svchost.exe
  • lsass.exe


Payload

Disables and/or terminates antivirus-related processes

Virus:Win32/Morto.A disables antivirus-related processes by modifying a number of registry entries, for example:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<AV_Service>
Sets value: "4"

Where <AV_Service> could be any of the following:

  • 360rp
  • a2AntiMalware
  • amsp
  • AntiVirService
  • avast! Antivirus
  • AVGIDSAgent
  • AVGwd
  • avp
  • ekrn
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • FSORSPClient
  • kxesapp
  • kxescore
  • mcods
  • mcshield
  • MsMpSvc
  • NIS
  • PavFnSvr
  • pavsrv
  • RsRavMon
  • SavService
  • V3 Service
  • vsserv
  • zhudongfangyu


Contacts remote hosts

The malware may contact the following remote hosts using port 8080:

  • e.ppfit.com
  • e.ppfit.in
  • e.ppfit.net


Commonly, malware may contact a remote host for the following purposes:

  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer
Additional information

To avoid reinfection, this virus creates an infection marker 'PPIF' in executable files that it has infected.



Analysis by Edgardo Diaz

Last update 11 July 2012

 

TOP

Malware :

Family: