Home / malware Worm:Win32/Morto!dat
First posted on 19 May 2012.
Source: MicrosoftAliases :
Worm:Win32/Morto!dat is also known as Worm.Win32.Mort.j (Kaspersky), Worm.Win32.Morto (Ikarus).
Explanation :
Worm:Win32/Morto!dat is a component of Worm:Win32/Morto that contacts a remote server. It is encrypted, and so is decrypted and loaded by Worm:Win32/Morto.D.
Worm:Win32/Morto is a worm family that allows unauthorized users to access your computer. It spreads by accessing computers that have Remote Desktop connection to a network.
Installation
Worm:Win32/Morto!dat is a binary blob written into a legitimate registry key when Worm:Win32/Morto is dropped and run in a computer.
The registry key may be modified as follows:
In subkey: HKLM\SYSTEM\WPA\md
Sets value to any of the following:
it
id
sn
ie
md
sr
Payload
Worm:Win32/Morto!dat connects to the following servers to download additional information and update its Morto components:
- fc<decimal number>.jfrmt.net
- jifr.co.be
- jifr.co.cc
- jifr.info
- jifr.net
- qfsl.co.be
- qfsl.co.cc
- qfsl.net
- sc.jfrmt.net
It saves its downloaded components to a file using the following naming format:
<random number>~MTMP<4 hex digits>.exe
Analysis by Ding Plazo
Last update 19 May 2012
