Home / malware Worm:Win32/Morto.A
First posted on 03 May 2016.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Morto.A.
Explanation :
Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.
Installation
The threat consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload.
When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll, as well asc:\windows\offline web pages\cache.txt. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.
The name clb.dll is chosen because this is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This DLL has encrypted configuration information appended to it in order to download and execute new components.
The following files are also created by the malware:
- %windows%\temp\ntshrui.dll
\sens32.dll - c:\windows\offline web pages\cache.txt - detected as Worm:Win32/Morto.A
The following registry modifications are made to load the DLLs as services upon system boot:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: "Description"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets value: "DependOnService"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets value: "ServiceDll"
With data: "\sens32.dll"
Initially, these files are clean and benign DLLs. They are used to load clb.dll in the same way as regedit. They may be replaced later on with malicious components which are downloaded to:
- c:\windows\offline web pages\cache.txt
and replace sens32.dll via a value in the following registry subkey:
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
Once loaded as a service inside svchost.exe, the encrypted code housed in HKLM\SYSTEM\WPA is then read by clb.dll, loaded and executed. This contains the worm functionality (see below for additional detail).
Spreads via…
Compromising Remote Desktop connections on a network: Port 3389 (RDP)
Worm:Win32/Morto.gen!A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems using the following user names:
1
123
a
actuser
adm
admin1
admin2
administrator
aspnet
backup
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys,
test
test1
test2
test3
user
user
user2
user3
user4
user5
with the following passwords:
!@#$
!@#$%
!@#$%^
!@#$%^&*
$1234
%u%
%u%1
%u%111111
%u%12
%u%123
%u%1234
%u%123456
0
000000
1
111
1111
111111
1111111
111222
112233
11223344
12
121212
123
123123
123321
1234
12344321
12345
123456
1234567
12345678
123456789
1234567890
1234qwer
1313
1314520
159357
168168
1q2w3e
1QAZ
1qaz2wsx
2010
2011
2012
2222
22222222
3
31415926
369
4321
520
520520
654321
666666
7
7777
7777777
77777777
789456
888888
88888888
987654
987654321
999999
<1234
a
aaa
abc
abc123
abcd
abcd1234
admin
admin123
computer
dragon
iloveyou
letmein
pass
password
PASSWORD
princess
qazwsx
rockyou
root
secret
super
test
user
Z1234
zxcvbnm
Note: The %u% is a wildcard string that is replaced by the user name used in the attack.
If the worm is successful at logging into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is temporarily mapped to A: (both of which are remotely executed on the remote system by way of the \\tsclient\a share).
The file r.reg, contains the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"EnableLUA"=dword:0
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"
The intention of importing this reg file appears to be to modify the registry to ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's DLL, clb.dll does too.
Payload
Contacts remote host
Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:
210.3.38.82
jifr.info
jifr.co.cc
jifr.co.be
jifr.net
qfsl.net
qfsl.co.cc
qfsl.co.be
Newly downloaded components are downloaded to a filename that uses the following format:
~MTMP<4 digits 0-f>.exe
Performs Denial of Service attacks
Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.
Terminates processes
Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.
ACAAS
360rp
a2service
ArcaConfSV
AvastSvc
avguard
avgwdsvc
avp
avpmapp
ccSvcHst
cmdagent
coreServiceShell
ekrn
FortiScand
FPAVServer
freshclam
fsdfwd
GDFwSvc
K7RTScan
knsdave
KVSrvXP
kxescore
mcshield
MPSvc
MsMpEng
NSESVC.EXE
PavFnSvr
RavMonD
SavService
scanwscs
SpySweeper
Vba32Ldr
vsserv
zhudongfangyu
Clears system event log
Worm:Win32/Morto deletes system event logs categorized in the following:
- Application
- Security
- System
Additional information
Morto stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry values:
- HKLM\SYSTEM\Wpa\it
- HKLM\SYSTEM\Wpa\id
- HKLM\SYSTEM\Wpa\sn
- HKLM\SYSTEM\Wpa\ie
- HKLM\SYSTEM\Wpa\md
- HKLM\SYSTEM\Wpa\sr
It also makes the following registry modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets value: "NoPopUpsOnBoot"
With data: "1"
Analysis by Matt McCormackLast update 03 May 2016