Morto: Computer Worm Spread via RDP

New worm has been reported by F-Secure Lab. The malware called Morto consists of several components includes executable dropper and a DLL that perform the payload. After executing the malware on local system the worm starts searching on the affected computer’s subnet and attempts to connect to located systems via the Remote Desktop Protocol Port 3389 (RDP).

Infected machine will be trying to compromise administrator passwords for Remote Desktop connections by using a list of most common passwords such as (admin, password, server , test etc.) once it logs to system, it copies clb.dll to a.dll on the machine and creates a file .reg in a directory.

Creating the reg file aims to modify the registry and ensure that rundll32.exe runs with Administrator privileges, and thus that the malware’s DLL, clb.dll does too.  Then the payload will be connecting to other hosts on internet so it will be able to download additional information and updating its component and it will be able to receive new instructions.

What is also interesting that Morto will start to stop some security processes that are related to popular antivirus services (such as AvastSvc ,avguard, avgwdsvc, avp etc.)

Morto is detected as Backdoor:W32/Morto.A and Worm:W32/Morto.B by F-Secure.


Notify of
Inline Feedbacks
View all comments