Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Worm:Win32/Morto!dat is a component of Worm:Win32/Morto that contacts a remote server. It is encrypted, and so is decrypted and loaded by Worm:Win32/Morto.D.
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
Worm:Win32/Morto!dat is a component of Worm:Win32/Morto that contacts a remote server. It is encrypted, and so is decrypted and loaded by Worm:Win32/Morto.D.
Worm:Win32/Morto is a worm family that allows unauthorized users to access your computer. It spreads by accessing computers that have Remote Desktop connection to a network.
Installation
Worm:Win32/Morto!dat is a binary blob written into a legitimate registry key when Worm:Win32/Morto is dropped and run in a computer.
The registry key may be modified as follows:
In subkey: HKLM\SYSTEM\WPA\md Sets value to any of the following: it id sn ie md sr
Payload
Worm:Win32/Morto!dat connects to the following servers to download additional information and update its Morto components:
fc<decimal number>.jfrmt.net
jifr.co.be
jifr.co.cc
jifr.info
jifr.net
qfsl.co.be
qfsl.co.cc
qfsl.net
sc.jfrmt.net
It saves its downloaded components to a file using the following naming format:
