Name:

Worm.Morto

Added:

August 28, 2011

Type:

Worm

Risk:

Medium

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Description:

Worm.Morto is an Internet worm that spreads to systems through the use of the Remote Desktop Protocol (RDP) Port.  It attempts to connect to a remote machine by scanning the RDP Port on the network, this scanning causes a lot of network traffic for port 3389/TCP (the RDP Port). The worm contains a list of default passwords that it uses to enter into the system. It spreads by logging into Remote Desktop servers.

When Worm.Morto is executed, it performs the following activities:

It drops the following files:

C:\WINDOWS\Offline Web Pages\cache.txt --- cache.txt is a PE file.
C:\WINDOWS\system32\Sens32.dll

It modifies the following registry entries:

HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x00000006
HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x0000000A

HKLM\SYSTEM\ControlSet001\Services\SENS\DependOnService: 'EventSystem'
HKLM\SYSTEM\ControlSet001\Services\SENS\DependOnService: 00

HKLM\SYSTEM\ControlSet001\Services\SENS\Group: "Network"
HKLM\SYSTEM\ControlSet001\Services\SENS\Group: "SchedulerGroup"

HKLM\SYSTEM\ControlSet001\Services\SENS\Parameters\ServiceDll: "%SystemRoot%

\system32\sens.dll"
HKLM\SYSTEM\ControlSet001\Services\SENS\Parameters\ServiceDll: "C:\WINDOWS

\system32\Sens32.dll"

It connects to the remote server: 210.3.38.82 and tries to download a file 160.rar file.

Thirtyseven4 Antivirus Users are fully protected against this threat.