We were alerted to reports of a Crisis/MORCUT malware that supposedly spreads on VMware virtual machines. Our previous post about Crisis/MORCUT cites that it is a backdoor found to specifically target Mac OSX systems. This time around, the Crisis/MORCUT we have on our hands runs in Windows, and interestingly, mounts virtual disks. It does this by checking VMware configuration files for the locations of any installed virtual machines on the host system.
Currently, the arrival mechanism for this variant is still to be fully determined. However, it appears to have have started from the downloading of a malicious Java applet (detected as JAVA_AGENT.NTW). The Java applet is packaged with two files: mac – the backdoor OSX_MORCUT.A, and win – a worm detected as WORM_MORCUT.A. The win file is executed in a Windows operating system. This file then drops the following component files:
- IZsROY7X.-MP – (32-bit DLL) currectly detected as WORM_MORCUT.A
- t2HBeaM5.OUk – (64-bit DLL) currently detected as WORM_MORCUT.A
- WeP1xpBU.wA – (32-bit device driver) detected as TROJ_MORCUT.A
- 6EaqyFfo.zIK – (64-bit device driver) detected TROJ_MORCUT.A
- lUnsA3Ci.Bz7 – (32-bit DLL) a non-malicious file
Based on our initial analysis, WORM_MORCUT.A has the ability to spread through USB devices and VMware virtual disks. It uses the device driver component TROJ_MORCUT.A to mount on virtual disks. While these capabilities may suggest it should be spreading aggressively, we are not seeing a lot of infections for both WORM_MORCUT.A and TROJ_MORCUT.A as of this writing.
As we earlier reported in our Cloud Security blog post, our initial analysis reveals this Crisis/MORCUT variant may affect Type 2 Hypervisor deployments. The protection provided by both Trend Micro™ Deep Security™ or Trend Micro™ OfficeScan™ ensures that Trend Micro customers are safe from Crisis/MORCUT malware.
Analyses on both WORM_MORCUT.A and TROJ_MORCUT.A are underway. Watch this space for updates on those. In the meantime, OfficeScan users should update to the latest patterns. All patterns are available in our Download Center.
Update as of August 24, 2012, 10:50 AM PST