A new worm has been reported by F-Secure Lab. The malware is called Morto, and consists of several components which include an executable dropper and a DLL that delivers the payload.
After executing the malware on a local system, the worm starts searching on the infected computer’s subnet and attempts to connect to located systems via the Remote Desktop Protocol Port 3389 (RDP).
"We don't see that many internet worms these days. It's mostly just bots and trojans. But we just found a new internet worm, and it's spreading in the wild," said F-Secure.
"It uses a new spreading vector that we haven't seen before: RDP."
Infected machines will be try to compromise administrator passwords for Remote Desktop connections by using a list of most common passwords, such as admin, password, server , test etc.
Once it logs into system, it copies clb.dll to a.dll to the machine and creates a .reg file in the directory.
Creating the .reg file is intended to modify the registry and ensure that rundll32.exe runs with Administrator privileges so the malware’s DLL and clb.dll do too.
The payload will then be delivered to other hosts on internet allowing it to download additional information and to update its components to receive new instructions.
What is interesting is that Morto will start to stop some security processes that are related to popular antivirus services such as AvastSvc, AVguard, AVGWDSVC, AVP, and more.
Morto is detected as Backdoor:W32/Morto.A and Worm:W32/Morto.B by F-Secure.