Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    We were alerted to reports of a Crisis/MORCUT malware that supposedly spreads on VMware virtual machines. Our previous post about Crisis/MORCUT cites that it is a backdoor found to specifically target Mac OSX systems. This time around, the Crisis/MORCUT we have on our hands runs in Windows, and interestingly, mounts virtual disks. It does this by checking VMware configuration files for the locations of any installed virtual machines on the host system.

    Currently, the arrival mechanism for this variant is still to be fully determined. However, it appears to have have started from the downloading of a malicious Java applet (detected as JAVA_AGENT.NTW). The Java applet is packaged with two files: mac – the backdoor OSX_MORCUT.A, and win – a worm detected as WORM_MORCUT.A. The win file is executed in a Windows operating system. This file then drops the following component files:

    • IZsROY7X.-MP – (32-bit DLL) currectly detected as WORM_MORCUT.A
    • t2HBeaM5.OUk – (64-bit DLL) currently detected as WORM_MORCUT.A
    • eiYNz1gd.Cfp
    • WeP1xpBU.wA – (32-bit device driver) detected as TROJ_MORCUT.A
    • 6EaqyFfo.zIK – (64-bit device driver) detected TROJ_MORCUT.A
    • lUnsA3Ci.Bz7 – (32-bit DLL) a non-malicious file

    Based on our initial analysis, WORM_MORCUT.A has the ability to spread through USB devices and VMware virtual disks. It uses the device driver component TROJ_MORCUT.A to mount on virtual disks. While these capabilities may suggest it should be spreading aggressively, we are not seeing a lot of infections for both WORM_MORCUT.A and TROJ_MORCUT.A as of this writing.

    As we earlier reported in our Cloud Security blog post, our initial analysis reveals this Crisis/MORCUT variant may affect Type 2 Hypervisor deployments. The protection provided by both Trend Micro™ Deep Security™ or Trend Micro™ OfficeScan™ ensures that Trend Micro customers are safe from Crisis/MORCUT malware.

    Analyses on both WORM_MORCUT.A and TROJ_MORCUT.A are underway. Watch this space for updates on those. In the meantime, OfficeScan users should update to the latest patterns. All patterns are available in our Download Center.

    Update as of August 24, 2012, 10:50 AM PST

    The Java file that downloads WORM_MORCUT.A is now detected as JAVA_MORCUT.A. The files dropped by WORM_MORCUT.A are now known as RTKT_MORCUT.A . Both are cleaned by the latest pattern files.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice