Worm:Win32/Morto.A
Microsoft Defender Antivirus detects and removes this worm.
This threat is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.
Worms automatically spread to other PCs. They can do this in a number of ways, including by copying themselves to removable drives, network folders, or spreading through email.
Additional information for Enterprise users
In the wild, we have observed this threat infecting computers by targeting accounts that have weak passwords.
To help prevent infection, and consequent reinfection, make sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.
To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:
- Ensuring there are rules around password complexity, so that passwords meet basic strong password requirements, such as minimum length (long passwords are usually stronger than short ones)
- Ensuring passwords are not used for extended periods of time; consider setting an expiry every 30 to 90 days. You might also consider enforcing password history, so that users can not re-use the same password within a pre-defined time frame
- Ensuring passwords contain a combination of:
- Uppercase letters
- Lowercase letters
- Numerals, and
- Symbols
For general information about password best practices, please see the following articles:
- http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx
- http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx
To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.
Worm:Win32/Morto.B
Worm:Win32/Morto.D
Worm:Win32/Morto.D is malware that loads, decrypts, and executes the main Morto payload.
Worm:Win32/Morto.C
Worm:Win32/Morto.C is malware that performs the main payload for Worm:Win32/Morto.gen!A, Worm:Win32/Morto.A, and Worm:Win32/Morto.B.
Worm:Win32/Morto.E
Worm:Win32/Morto.E is malware that loads, decrypts, and executes the main Morto payload.
Worm:Win32/Morto.F
Worm:Win32/Morto.F is the DLL component of the Win32/Morto worm family. It executes the main component on the affected computer. It spreads across a network via Remote Desktop connections.
Worm:Win32/Morto.J
Worm:Win32/Morto.J is a worm that can spread during a Remote Desktop session when connecting an infected computer to another computer.
Additional information for Enterprise users
In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.
To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.
To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:
- Ensuring there are rules around password complexity, so that passwords meet basic strong password requirements, such as minimum length (long passwords are usually stronger than short ones)
- Ensuring passwords are not used for extended periods of time; consider setting an expiry every 30 to 90 days. You might also consider enforcing password history, so that users can not re-use the same password within a pre-defined time frame
- Ensuring passwords contain a combination of:
- Uppercase letters
- Lowercase letters
- Numerals, and
- Symbols
For general information about password best practices, please see the following articles:
- http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx
- http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx
To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.
Worm:Win32/Morto!dat
Worm:Win32/Morto!dat is a component of Worm:Win32/Morto that contacts a remote server. It is encrypted, and so is decrypted and loaded by Worm:Win32/Morto.D.
Worm:Win32/Morto.gen!B
Worm:Win32/Morto.gen!B is the DLL component of the Win32/Morto worm family. It executes the main component on the affected computer. It spreads across a network via Remote Desktop connections.
Worm:Win32/Morto.gen!A
Additional information for Enterprise users
In the wild, we have observed this threat infecting computers by targeting accounts that have 'weak' passwords.
To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for system and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread. Changing your password will significantly decrease your chance of re-infection.
To thwart this and similar threats, it helps to adhere to best password practices, defined and enforced by appropriate policies. Good polices include, but are not limited to:
- Ensuring there are rules around password complexity, so that passwords meet basic strong password requirements, such as minimum length (long passwords are usually stronger than short ones)
- Ensuring passwords are not used for extended periods of time; consider setting an expiry every 30 to 90 days. You might also consider enforcing password history, so that users can not re-use the same password within a pre-defined time frame
- Ensuring passwords contain a combination of:
- Uppercase letters
- Lowercase letters
- Numerals, and
- Symbols
For general information about password best practices, please see the following articles:
- http://technet.microsoft.com/en-us/library/cc784090(WS.10).aspx
- http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx
To help prevent re-infection after cleaning, you may also want to consider changing the password for every account on the network, for every user in your environment.
Virus:Win32/Morto.A
Virus:Win32/Morto.A is a virus that spreads by infecting executable files; it is a memory-resident file-infector that injects its code into processes that are commonly running on your computer.
The virus downloads and runs code that it decrypts and stores in the registry which may contain additional payloads. The Win32/Morto family is also known for gaining access to remote desktop and network shares by using a set of common user names and passwords.