WORM_MORTO.SM

This worm uses Remote Desktop Protocol (RDP) for its propagation routines.

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It deletes the initially executed copy of itself.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• WORM_MORTO.SMA

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\clb.dl
• %Windows%\Offline Web Pages\cache.txt

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following file(s)/component(s):

• %System%\Sens32.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following non-malicious file:

• %Windows%\Offline Web Pages\%yyyy-mm-dd%

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It injects itself into the following processes as part of its memory residency routine:

• svchost.exe

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\WPA
it = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
id = "1293D1C15VAVUJTN"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
ie = "%current folder%\{malware name}.exe"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
md = "{garbage code}"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
sn = "6to4"

HKEY_LOCAL_MACHINE\SYSTEM\WPA
sr = "Sens"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Windows
NoPopUpsOnBoot = "1"

Process Termination

This worm terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• ACAAS
• ArcaConfSV
• AvastSvc
• FPAVServer
• FortiScand
• GDFwSvc
• K7RTScan
• KVSrvXP
• MPSvc
• MsMpEng
• NSESVC.EXE
• PavFnSvr
• RavMonD
• SavService
• SpySweeper
• Vba32Ldr
• a2service
• avgwdsvc
• avpmapp
• ccSvcHst
• cmdagent
• coreServiceShell
• freshclam
• fsdfwd
• knsdave
• kxescore
• mcshield
• scanwscs
• vsserv

Other Details

This worm deletes the initially executed copy of itself

NOTES:

This worm creates a backup copy of its dropped file as %Windows%\clb.dll.bak.

The file %system%\clb.dll is a legitimate file which is used by regedit.exe. That is why the copy of this malware is placed in %Windows% directory is to trick regedit.exe that the dropped file is the component that it needs. Therefore, regedit.exe loads the malicious clb.dll into the system.

It listens to port 3389/TCP, the port for RDP, for possible enabled Remote Desktop. This worm searches for Remote Desktop Servers, and tries to log-in as Administrator using the following usernames:

• actuser
• admin
• admin1
• admin123
• admin2
• administrator
• aspnet
• backup
• computer
• console
• david
• dragon
• guest
• owner
• princess
• server
• support
• support_388945a0
• test1
• test2
• test3
• user1
• user2
• user3
• user4
• user5

It also tries the following passwords:

• !@#$%
• $1234
• %u%111111
• %u%12
• %u%123
• %u%1234
• %u%123456
• 000000
• 111111
• 1111111
• 111222
• 112233
• 11223344
• 121212
• 123123
• 123321
• 12344321
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 1234567890
• 1234qwer
• 1314520
• 159357
• 168168
• 1q2w3e
• 1qaz2wsx
• 22222222
• 31415926
• 520520
• 654321
• 666666
• 7777777
• 77777777
• 789456
• 888888
• 88888888
• 987654
• 987654321
• 999999
• 1234
• PASSWORD
• Password
• Z1234
• abc123
• abcd1234
• actuser
• admin
• admin1
• admin123
• admin2
• administrator
• aspnet
• backup
• computer
• console
• david
• dragon
• guest
• iloveyou
• letmein
• owner
• password
• princess
• qazwsx
• rockyou
• secret
• server
• super
• support
• support_388945a0
• test1
• test2
• test3
• user1
• user2
• user3
• user4
• user5
• zxcvbnm

• rundll32 \\tsclient\a\a.dll a

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
  ConsentPromptBehaviorAdmin=0
  EnableLUA=0
  

• [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
  c:\\windows\\system32\\rundll32.exe=RUNASADMIN
  d:\\windows\\system32\\rundll32.exe=RUNASADMIN
  e:\\windows\\system32\\rundll32.exe=RUNASADMIN
  f:\\windows\\system32\\rundll32.exe=RUNASADMIN
  g:\\windows\\system32\\rundll32.exe=RUNASADMIN
  h:\\windows\\system32\\rundll32.exe=RUNASADMIN
  i:\\windows\\system32\\rundll32.exe=RUNASADMIN
  c:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
  d:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
  e:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
  f:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
  g:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
  h:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
  i:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
  c:\\winnt\\system32\\rundll32.exe=RUNASADMIN
  c:\\win2008\\system32\\rundll32.exe=RUNASADMIN
  c:\\win2k8\\system32\\rundll32.exe=RUNASADMIN
  c:\\win7\\system32\\rundll32.exe=RUNASADMIN
  c:\\windows7\\system32\\rundll32.exe=RUNASADMIN

• {BLOCKED}r.{BLOCKED}o.be
• {BLOCKED}r.{BLOCKED}o.cc
• {BLOCKED}r.info
• {BLOCKED}r.net
• {BLOCKED}l.{BLOCKED}o.be
• {BLOCKED}l.{BLOCKED}o.cc
• {BLOCKED}l.net
• {BLOCKED}0.{BLOCKED}.38.82