New Morto Strain Emerges With File Infection Capability

ID THREATPOST:3B69479DDB565EF5185D0F3D028B14F1
Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:03:26


A new strain of the Morto worm has added a file infection capability in addition to its existing ability to compromise remote desktop connections, according to new research from Microsoft.

Now Morto is infecting files in the default RDP file share, ‘tsclient,’ after it determines which drives it can connect to. According to Microsoft’s research, Morto is targeting all shared drives on the network.

The worm is infecting .EXE files on default RDP and administrative shares as well as removable drives, and it marks each file it infects with the letters ‘PPIF.’ However, the worm is avoiding files that contain strings like ‘windows,’ ‘winnt,’ ‘qq,’ ‘outlook,’ ‘system volume information,’ or ‘recycler’ in their path.

Morto is using a mutex (mutual exclusion) called ‘Global_PPIftSvc’ to avoid multiple injections into the same processes. It stores its payload in the registry and has the capacity to download new or updated instructions from a remote host, which are decrypted and executed later.

The Microsoft Malware Protection Center recommends that administrators use strong passwords to avoid this sort of infection.

A previous iteration of the Morto worm popped up a year ago when it began infecting machines by running a brute-force password-attack on the remote desktop protocol (RDP) service. At the time, researchers said it was the first worm to use such a tactic.