Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 92 views

    Win32 Morto.a Malware PDF

    Uploaded by

    vishalpunjabi
    Worm:Win32/Morto.A is a worm that spreads by compromising Remote Desktop connections using common usernames and passwords. It installs components to allow unauthorized access and downloads additional malware from external sites. The worm terminates security processes and can perform denial of service attacks if commanded.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    Win32 Morto.a Malware PDF

    Uploaded by

    vishalpunjabi
    92 views6 pages
    Worm:Win32/Morto.A is a worm that spreads by compromising Remote Desktop connections using common usernames and passwords. It installs components to allow unauthorized access and downloads additional malware from external sites. The worm terminates security processes and can perform denial of service attacks if commanded.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Worm:Win32/Morto.A is a worm that spreads by compromising Remote Desktop connections using common usernames and passwords. It installs components to allow unauthorized access and downloads additional malware from external sites. The worm terminates security processes and can perform denial of service attacks if commanded.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    92 views6 pages

    Win32 Morto.a Malware PDF

    Uploaded by

    vishalpunjabi
    Worm:Win32/Morto.A is a worm that spreads by compromising Remote Desktop connections using common usernames and passwords. It installs components to allow unauthorized access and downloads additional malware from external sites. The worm terminates security processes and can perform denial of service attacks if commanded.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 6

    Worm:Win32/Morto.A http://www.securityhome.eu/malware/malware.php?mal_id=5996941174e5c7e967f3d46.

    89320594

    Worm:Win32/Morto.A
    Article URL

    malware.php?mal_id=5996941174e5c7e967f3d46.89320594
    Author

    SecurityHome.eu
    Published: 30 August 2011

    Aliases : Worm:Win32/Morto.A is also known as Trojan horse Generic24.OJQ  (AVG), Trojan.DownLoader4.48720 (Dr.Web), Win-Trojan/Helpagent.7184 (AhnLab), Troj/Agent-TEE (Sophos), Backdoor:Win32/Morto.A (Microsoft) .

    Explanation :
    Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network. Top Worm:Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.

    Installation The malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload. When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll, as well asc:windowsoffline web pagescache.txt. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLMSYSTEMWPAmd and exits. The name clb.dll is chosen because this is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is
    Page 1/6

    Worm:Win32/Morto.A http://www.securityhome.eu/malware/malware.php?mal_id=5996941174e5c7e967f3d46.89320594

    executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This DLLhas encrypted configuration information appended to it in order to download and execute new components. The following files are also created by the malware: * %windows%tempntshrui.dll * <system folder>sens32.dll * c:windowsoffline web pagescache.txt - detected as Worm:Win32/Morto.A

    The following registry modifications are made to load the DLLs as services upon system boot: In subkey: HKLMSYSTEMCurrentControlSetServices6to4Parameters Sets value: "ServiceDll" With data: "%windir%tempntshrui.dll" In subkey: HKLMSYSTEMCurrentControlSetServices6to4 Sets value: "Description" With data: "0" In subkey: HKLMSYSTEMCurrentControlSetServicesSens Sets value: "DependOnService" With data: "0" In subkey: HKLMSYSTEMCurrentControlSetServicesSensParameters Sets value: "ServiceDll" With data: "<system folder>sens32.dll" Initially, these files are clean and benign DLLs. They are used to load clb.dll in the same way as regedit. They may be replaced later on with malicious components which are downloaded to: * c:windowsoffline web pagescache.txt

    and replace sens32.dll via a value in the following registry subkey: * HKLMSYSTEMCurrentControlSetControlSession ManagerPendingFileRenameOperations

    Once loaded as a service inside svchost.exe, the encrypted code housed in HKLMSYSTEMWPA is then read by clb.dll, loaded and executed. This contains the worm functionality (see below for additional detail). Spreads via Compromising Remote Desktop connections on a network: Port 3389 (RDP)
    Page 2/6

    Worm:Win32/Morto.A http://www.securityhome.eu/malware/malware.php?mal_id=5996941174e5c7e967f3d46.89320594

    Worm:Win32/Morto.gen!A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems using the following user names: 1 actuser adm admin admin2 administrator aspnet backup computer console david guest john owner root server sql support support_388945a0 sys test2 test3 user user1 user5 with the following passwords: *1234 0 111 123 369 1111 12345 111111 123123 123321 123456 168168 520520 654321 666666 888888 1234567 12345678 123456789 1234567890 !@#$%^ %u% %u%12 1234qwer 1q2w3e 1qaz2wsx aaa abc123
    Page 3/6

    Worm:Win32/Morto.A http://www.securityhome.eu/malware/malware.php?mal_id=5996941174e5c7e967f3d46.89320594

    abcd1234 admin admin123 letmein pass password server test user If the worm is successful at logging into a system, it then copies clb.dll to a.dll on the computer and creates a file .reg in a directory which is temporarily mapped to A: (both of which are remotely executed on the remote system by way of the tsclienta share). The file r.reg, contains the following: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem] "ConsentPromptBehaviorAdmin"=dword:0 "EnableLUA"=dword:0 [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsLayers] "c:windowssystem32rundll32.exe"="RUNASADMIN" "d:windowssystem32rundll32.exe"="RUNASADMIN" "e:windowssystem32rundll32.exe"="RUNASADMIN" "f:windowssystem32rundll32.exe"="RUNASADMIN" "g:windowssystem32rundll32.exe"="RUNASADMIN" "h:windowssystem32rundll32.exe"="RUNASADMIN" "i:windowssystem32rundll32.exe"="RUNASADMIN" "c:windowsSysWOW64rundll32.exe"="RUNASADMIN" "d:windowsSysWOW64rundll32.exe"="RUNASADMIN" "e:windowsSysWOW64rundll32.exe"="RUNASADMIN" "f:windowsSysWOW64rundll32.exe"="RUNASADMIN" "g:windowsSysWOW64rundll32.exe"="RUNASADMIN" "h:windowsSysWOW64rundll32.exe"="RUNASADMIN" "i:windowsSysWOW64rundll32.exe"="RUNASADMIN" "c:winntsystem32rundll32.exe"="RUNASADMIN" "c:win2008system32rundll32.exe"="RUNASADMIN" "c:win2k8system32rundll32.exe"="RUNASADMIN" "c:win7system32rundll32.exe"="RUNASADMIN" "c:windows7system32rundll32.exe"="RUNASADMIN" The intention of importing this reg file appears to be to modify the registry to ensure that rundll32.exe runs with Administrator privileges, and thus that the malware's DLL, clb.dll does too.

    Payload

    Contacts remote host Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components: 210.3.38.82 jifr.info
    Page 4/6

    Worm:Win32/Morto.A http://www.securityhome.eu/malware/malware.php?mal_id=5996941174e5c7e967f3d46.89320594

    jifr.co.cc jifr.co.be qfsl.net qfsl.co.cc qfsl.co.be Newly downloaded components are downloaded to a filename that uses the following format: ~MTMP<4 digits 0-f>.exe Performs Denial of Service attacks Morto may be ordered to perform Denial of Service attacks against attacker-specified targets. Terminates processes Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications. ACAAS 360rp a2service ArcaConfSV AvastSvc avguard avgwdsvc avp avpmapp ccSvcHst cmdagent coreServiceShell ekrn FortiScand FPAVServer freshclam fsdfwd GDFwSvc K7RTScan knsdave KVSrvXP kxescore mcshield MPSvc MsMpEng NSESVC.EXE PavFnSvr RavMonD SavService scanwscs SpySweeper Vba32Ldr vsserv zhudongfangyu Additional information Morto stores configuration data in the subkey HKLMSYSTEMWpa using the following registry values: HKLMSYSTEMWpait HKLMSYSTEMWpaid
    Page 5/6

    Worm:Win32/Morto.A http://www.securityhome.eu/malware/malware.php?mal_id=5996941174e5c7e967f3d46.89320594

    HKLMSYSTEMWpasn HKLMSYSTEMWpaie HKLMSYSTEMWpamd HKLMSYSTEMWpasr It also makes the following registry modification: In subkey: HKLMSYSTEMCurrentControlSetControlWindows Sets value: "NoPopUpsOnBoot" With data: "1"

    Analysis by Matt McCormack

    Last update 30 August 2011

    Page 6/6

    You might also like