Worm Morto Spreading via RDP

Our research team came across a Worm file, which upon execution wriggles its way through the systems using the RDP port. This worm is known as Morto and it is spreading very quickly in the wild. Morto uses the RDP (Remote Desktop protocol) to connect to a remote system and tries scanning the RDP port on the network. This creates a lot of traffic for port 3389/TCP, which is the RDP port. It has got a list of default passwords which it uses to enter into the system. The Morto worm spreads by logging into remote desktop servers.

Upon execution it performs the following activities:-

It drops the below mentioned files:
C:WINDOWSOffline Web Pagescache.txt — cache.txt is a PE file.

It modifies the below mentioned registry entries:

HKLMSYSTEMControlSet001ServicesRemoteAccessPerformanceError Count: 0x00000006
HKLMSYSTEMControlSet001ServicesRemoteAccessPerformanceError Count: 0x0000000A

HKLMSYSTEMControlSet001ServicesSENSDependOnService: ‘EventSystem’
HKLMSYSTEMControlSet001ServicesSENSDependOnService: 00

HKLMSYSTEMControlSet001ServicesSENSGroup: “Network”
HKLMSYSTEMControlSet001ServicesSENSGroup: “SchedulerGroup”

HKLMSYSTEMControlSet001ServicesSENSParametersServiceDll: “%SystemRoot%system32sens.dll”
HKLMSYSTEMControlSet001ServicesSENSParametersServiceDll: “C:WINDOWSsystem32Sens32.dll”

It connects to the remote server “” and tries to download a file ‘160.rar’.

Quick Heal detects this infection as Worm.Morto.a and protects its users.

Thanks to Laxmikant N for the analysis.

Ranjeet Menon

Ranjeet Menon

No Comments, Be The First!

Your email address will not be published.