Virus:Win32/Morto.A is a virus that spreads by infecting executable files; it is a memory-resident file-infector that injects its code into processes that are commonly running on your computer.
The virus downloads and runs code that it decrypts and stores in the registry which may contain additional payloads. The Win32/Morto family is also known for gaining access to remote desktop and network shares by using a set of common user names and passwords.
Installation
Virus:Win32/Morto.A creates the following mutex on your computer, to ensure that only one instance of the virus is running at a time:
"Global\_PPIftSvc"
If it determines that it is not already present on your computer, it will create a copy of itself as:
<system folder>\wmicuclt.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32"; for XP, Vista, and 7 it is "C:\Windows\System32".
Virus:Win32/Morto.A then runs that file as the service "Remote Access Connection Service".
The virus makes the following changes to the registry for its malicious purposes, for example, to enable its spreading capabilities:
In subkey: HKLM\SYSTEM\Select
Sets value: "v"
With data: "<The encrypted virus code that it injects into svchost.exe or lsass.exe>"
In subkey: HKLM\SYSTEM\Select
Sets value: "pu"
Sets value: "plg"
Sets value: "ext"
Spreads via...
File infection
Virus:Win32/Morto.A searches for and infects all executable files that are stored in fixed and removable drives, shared remote desktop folders (by using the search path "\\tsclient\<a-z>\*.*"), and shared administrative folders (by using the search path "\\<IP_address>\<a-z>$\*.*").
It will infect files that do not contain the following in their folder location path:
- windows
- winnt
- qq
- Outlook
- System Volume Information
- RECYCLER
The virus will search and infect all copies of "<system folder>\wscript.exe" on all computers on your network. It then copies the infected file as "<system folder>\wmicuclt.exe" on each of the infected computers.
Network shares
To infect files in shared administrative folders, Virus:Win32/Morto.A searches for other computers connected to the local network by cycling through IP addresses.
It attempts to connect to other computers on the local network by using the following set of user names and passwords:
- User names:
- user
- test
- administrator
- admin
- Passwords:
| |
|
|
|
|
|
| !@# |
1234432 |
2xxxxx |
a654321 |
monkey |
rock |
| !@#!@# |
12345 |
3.14159 |
aaa |
mustang |
rockyou |
| !@#$ |
123456 |
31415926 |
aaaaaa |
mypass |
root |
| !@#$% |
123456!@# |
3222222221 |
abc123 |
mypass123 |
ryxcvz |
| !@#$%^ |
1234567 |
335555 |
abcd987654321 |
mypassword |
sa |
| !@#$%^&* |
12345678 |
412833 |
accesskiller |
mypc |
secret |
| !@#$%^&*() |
123456789 |
4321 |
admin |
mypc123 |
server111 |
| !password |
1234qwe |
5150zz |
admin!@# |
oracles |
sexgod |
| !password1 |
12352052 |
5201314 |
admini |
owner |
shadow |
| %u%111111 |
123654 |
52020102012 |
administrator |
pa$$0 |
softmimapass |
| %u%123 |
123abc |
54321 |
adminwindows |
pasdfghjkloa |
super |
| %u%1234 |
123admin |
555555 |
alpha |
pass |
tasklist |
| %u%123456 |
123asd |
612333333 |
asdfqwe |
pass0rd |
temp |
| %u%12abcd1234 |
123qwe |
6666 |
baseball |
pass1 |
temp123 |
| %u%1abc |
123qwertyuio |
666666 |
batman |
pass123 |
test |
| 0 |
13131 |
69 |
computer |
pass123456 |
test123 |
| 000000 |
131313xxxx |
6969 |
database |
passoa |
test123!@# |
| 007 |
1314198 |
7758258 |
dragon |
passpass123word456 |
thomas |
| 01234567 |
1314520 |
775852 |
enablexp |
passwd |
tigger |
| 03691 |
14521521 |
7777 |
fangyou |
password |
trustno1 |
| 1000000001 |
147258369 |
777777 |
foobar |
password1 |
user |
| 10110100 |
152113 |
7777777 |
football |
pat |
user123 |
| 111%u% |
159357 |
777777777 |
fuck2000 |
patrick |
windows2000 |
| 1111 |
168168 |
789456 |
fuckme6969 |
princess |
windows2003 |
| 111111 |
1qaz2wsx |
888888 |
godblessyou |
pussy |
windowsxp |
| 11111111 |
200147258 |
88888888 |
harley |
pw123 |
winpc |
| 1111123 |
20022003 |
8912332 |
home |
pwdlove |
woaini |
| 1112121 |
20070315 |
987654 |
hunter |
q2w3e |
woaiwojia |
| 111test |
2112233 |
999999 |
ihavenopass |
qaz456wsx |
xcv |
| 112111 |
21131420 |
Admin |
iwantu |
qazwsx |
xxx |
| 112358 |
222220 |
Internet |
jennifer |
qazwsx123456123 |
xxx1212 |
| 1223344 |
222222 |
Login |
jordan |
qwerty |
xxxxaaaa |
| 123 |
23123 |
P@ssW0rd |
letmein |
radmin |
xxxxxxx |
| 123123123 |
23234444 |
PASSWORD |
login |
ranger |
ybase |
| 1233211234567 |
2600110 |
Password |
master |
rdadm1n |
zxcvbnm |
| 1234 |
26131452 |
QAZ111222 |
michael |
robert |
zzzz211 |
In addition to these user names and passwords, the virus will also steal your login credentials and store them in the registry, as follows:
In subkey: HKLM\SYSTEM\Select
Sets value: "pu"
With data: "<The Windows user names and passwords that it steals from your computer>"
With data: "<The Administrator password that it steals from your computer>"
It will use these login credentials as long as the user name:
- Is not any of the following:
- Guest
- SUPPORT_388945a0
- __vmware_user__
- HelpAssistant
- ASPNET
- TsInternetUser
- Does not contain the following string:
Payload
Disables and/or terminates antivirus-related processes
Virus:Win32/Morto.A disables antivirus-related services by modifying registry entries, for example:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<AV_Service>
Sets value: "4"
Where <AV_Service> could be any of the following:
- 360rp
- a2AntiMalware
- amsp
- AntiVirService
- avast! Antivirus
- AVGIDSAgent
- AVGwd
- avp
- ekrn
- F-Secure Gatekeeper Handler Starter
- FSMA
- FSORSPClient
- kxesapp
- kxescore
- mcods
- mcshield
- MsMpSvc
- NIS
- PavFnSvr
- pavsrv
- RsRavMon
- SavService
- V3 Service
- vsserv
- zhudongfangyu
Contacts remote hosts
The malware may contact the following remote hosts using port 80:
- e.ppfit.com
- e.ppfit.in
- e.ppfit.net
- d.ppns.com
- d.ppns.info
- d.ppns.net
- fd1.ppiplg.com
- fd1.ppiplg.in
- fd1.ppiplg.net
Virus:Win32/Morto.A downloads additional, encrypted instructions from these hosts which it stores in the following registry keys:
In subkey: HKLM\SYSTEM\Select
Sets value: "plg"
With data: "<encrypted data>"
In subkey: HKLM\SYSTEM\Select
Sets value: "ext"
With data: "<encrypted data>"
The virus will then decrypt these instructions, which may contain additional payloads, information stealing routines and/or information on how to spread.
Additional information
To avoid reinfection, Virus:Win32/Morto.A employs an infection marker, "PPIF", in executable files that it has infected.
Analysis by Edgardo Diaz
