Home / malwarePDF  

Worm:Win32/Morto.E


First posted on 19 January 2012.
Source: Microsoft

Aliases :

Worm:Win32/Morto.E is also known as Worm/Win32.Morto (AhnLab), W32/Morto.L (Norman), Worm/Morto.D (AVG), Worm.Win32.Morto (Ikarus), W32/Morto.dll.b (McAfee), Worm.Win32.Morto.h (Rising AV), Mal/Morto-B (Sophos).

Explanation :

Worm:Win32/Morto.E is malware that loads, decrypts, and executes the main Morto payload.


Top

Worm:Win32/Morto.E is malware that loads, decrypts, and executes the main Morto payload.



Installation

Worm:Win32/Morto.E is a DLL file that performs the main Morto payload.

When executed, it is installed as the following files:

  • %windir%\clb.dll
  • %windir%\offline web pages\cache.txt


If updated by the malware, a back-up of the first file is created as "clb.dll.bak".

Note that a legitimate file also named "clb.dll" exists by default in the Windows system folder. Because of how files in Windows are searched for and run, the malware file "clb.dll" is actually run instead of the legitimate file.

It also accesses, decrypts, and processes the encrypted binary blob written by the main Morto dropper into the registry key HKLM\SYSTEM\WPA\md.

Worm:Win32/Morto.E is installed as a service.

Spreads via...

Network access via RDP port 3389

Worm:Win32/Morto.E attempts to spread to other computers by checking for those connected via RDP sessions to other computers by default. It also enumerates IP addresses on the affected computer's subnet and attempts to connect to these computers using certain user names and passwords



Payload

Contacts remote host

Worm:Win32/Morto.E connects to the following hosts to download additional information and update its components:

  • f<removed><random number>.jfrmt.net
  • j<removed>fr.co.be
  • j<removed>fr.co.cc
  • j<removed>fr.info
  • j<removed>fr.net
  • q<removed>sl.co.be
  • q<removed>sl.co.cc
  • q<removed>sl.net
  • s<removed>.jfrmt.net


Newly downloaded components are saved as files using the following naming format:

  • <random number>~MTMP<4 digit hex number>.exe
  • <random string>~MTMP%X.exe


Performs denial of service attacks

Worm:Win32/Morto.E may be ordered to perform denial-of-service (DoS) attacks against specified targets.

Terminates security processes

Worm:Win32/Morto.E terminates processes that contain the following strings in their name. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.

  • 360rp
  • a2service
  • ACAAS
  • ArcaConfSV
  • AvastSvc
  • avguard
  • avgwdsvc
  • avpmapp
  • ccSvcHst
  • cmdagent
  • coreServiceShell
  • FortiScand
  • FPAVServer
  • freshclam
  • fsdfwd
  • GDFwSvc
  • K7RTScan
  • knsdave
  • KVSrvXP
  • kxescore
  • mcshield
  • MPSvc
  • MsMpEng
  • NSESVC.EXE
  • PavFnSvr
  • RavMonD
  • SavService
  • scanwscs
  • SpySweeper
  • Vba32Ldr
  • vsserv
  • zhudongfangyu


Clears system event log

Worm:Win32/Morto.E deletes the following system event logs:

  • Application log
  • Security log
  • System log
Additional information

If this file is running as a service or within the context of the "rundll32.exe" process, it attempts to read the payload component in the drive "\\tsclient\a\moto", which is a drive used by the Morto family to spread. It then compares the data stored in this drive to that saved in the subkey "HKLM\SYSTEM\Wpa\md". If the data is identical, it executes the payload component.



Analysis by Zarestel Ferrer

Last update 19 January 2012

 

TOP

Malware :

Family: