Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
    • About Us
    Trendlabs Security Intelligence > More MORTO Infections Found

    We’ve been continuously receiving infection reports, specifically from the APAC and NABU regions, related to a certain malware that uses Remote Desktop Protocol to propagate.

    Detected as WORM_MORTO.SMA, this malware drops its component files, including a .DLL file, which is dropped onto the Windows folder. The said .DLL file, which bears the file name clb.dll, is detected as WORM_MORTO.SM. WORM_MORTO.SM acts as a loader for the malware and places its own clb.dll in the %Windows% folder to exploit the way by which Windows finds files. Windows typically loads the %Windows% folder before the %System% folder where the legitimate clb.dll file is located. By doing so, the malware’s .DLL file is loaded before the legitimate one whenever regedit.exe is executed.

    When WORM_MORTO.SM loads, it decrypts a file that contains the malware’s payload. It searches for Remote Desktop Servers associated with the infected system and attempts to log in as an administrator using a predefined set of passwords. Once a successful connection is established, it drops a copy of WORM_MORTO.SM into a temporary directory in the system.

    Note that dropping files is not the only action a cybercriminal will be able to do once it remotely accesses the system through RDP. It was designed so a user can remotely access an entire system, thus allowing a cybercriminal to obtain complete access to an infected system.

    According to my colleague Karl Dominguez, it appears that this attack aims to indeed give an attacker full control of an infected system and of a whole network since the malware logs in using an administrator account. Anything can be done in the system at this point, including information theft, especially if the malware infiltrates servers.

    Trend Micro customers are protected from this threat, as the malicious files are now detected as WORM_MORTO.SMA and WORM_MORTO.SM. In addition, the URLs this malware uses to accesses its servers are now blocked.

    As a form of prevention against this threat, and against similar threats, users are advised to use strong passwords and to enable firewall settings. Network administrators are also encouraged to require a secure VPN connection before allowing users to use Remote Desktop Connection.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Thursday, September 1st, 2011 at 10:25 am and is filed under Malware . Both comments and pings are currently closed.



    • http://trendargentina.com.ar Silvina

      According to my colleague Fernando De la Fuente, the malicious files are now detected as WORM_MORTO.SMA. Tks!



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice