New Morto Worm More Potent

Wednesday, August 1, 2012 @ 01:08 PM gHale

Morto The Worm added file infection capability to its ability to compromise remote desktop protocol (RDP) connections by exploiting weak administrator passwords.

Microsoft warned last year that once Morto compromises a system, it connects to a remote server to download additional information and update its components. The worm also terminates processes for locally running security applications to ensure its activity continues uninterrupted.

Chem Co. Halts USB Stick Attack
Exploit Determines OS, then Attacks
Disabled Auto-Run Saves Energy Firm
ICS-CERT: Attacks on Rise

The new Morto variant “infects .EXE files found on fixed and removable drives as well as on default RDP and Administrative shares, but avoids infecting files that contain strings like ‘windows’, ‘winnt’, ‘qq’, ‘Outlook’, ‘System Volume Information’ or ‘RECYCLER’ in their path, said Edgardo Diaz Jr. with the Microsoft Malware Protection Center.

Morto also leaves an infection marker, ‘PPIF’ in infected files.”

Similar to earlier memory resident viruses, Morto’s payload and infection routine executes in the context of other processes, Diaz said. To avoid multiple injections in the same process (or running multiple copies of the virus), a mutex called “Global\_PPIftSvc” ends up created, he added.

Diaz cautioned organizations to use strong passwords for administrator and user accounts and to verify passwords are not similar to the ones the malware is using to spread.

Leave a Reply

You must be logged in to post a comment.