# Aug 28 Morto / Tsclient - RDP worm with DDoS features **[contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html](http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html)** According to Microsoft, Morto is a worm that spreads by trying to compromise (lame) administrator passwords for Remote Desktop connections on a network. They also note it can perform Denial of Service attacks against attacker-specified targets. I can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of traffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control servers. ----- Judging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be cybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with Jiangsu Bangning Science & technology Co. Ltd.in China. One of the domains existed for a few years and changed several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common in China (I don't have stats for other Asian countries but I am guessing common there too :) I want to thank [jsunpack.jeek.org and](http://jsunpack.jeek.org/) [malc0de.com for the sample.](http://malc0de.com/) ## Exploit information and analysis links **[Windows Remote Desktop worm "Morto" spreading (F-Secure )](http://www.f-secure.com/weblog/archives/00002227.html)** Expert analysis has been done already and I won't repeat it. I ran the sample posted and it does what the links below describe **[Worm:Win32/Morto.A Analysis by Matt McCormack (Microsoft)](http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Morto.A)** **Excerpt from Microsoft:** The malware consists of several components, including an executable dropper component (the installer), and a DLL component which performs the payload. When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key _HKLM\SYSTEM\WPA\md and exits._ The name clb.dll is chosen because it is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This dll has encrypted configuration information appended to it in order to download and execute new components. The following additional files are also created: _%windows%\temp\ntshrui.dll_ _\sens32.dll_ _c:\windows\offline web pages\cache.txt_ **[Technet forum discussions](http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/31cf740c-818c-4863-8df9-0d9a1d6de6fc)** **Some screenshots** **contents of cache.txt in offline web pages folder** ----- They may be replaced later on with malicious components which are downloaded to: _c:\windows\offline web pages\cache.txt_ ## General File Information **MD5: 2eef4d8b88161baf2525abfb6c1bac2b** **File Type: EXE** **Infection Vector: RDP** ## Download ----- Download 2eef4d8b88161baf2525abfb6c1bac2b and the created files as a password protected archive (contact me if you need the password) **(with many thanks to** **[jsunpack.jeek.org and](http://jsunpack.jeek.org/)** **[malc0de.com)](http://malc0de.com/)** ## Automated Scans **2eef4d8b88161baf2525abfb6c1bac2b.exe** Result:19 /44 (43.2%) http://www.virustotal.com/file-scan/report.html? [id=3d84a7395b23bc363a52a2028cea6cedb8ea4011ebc63865581c35aaa0da5da8-](http://www.virustotal.com/file-scan/report.html?id=3d84a7395b23bc363a52a2028cea6cedb8ea4011ebc63865581c35aaa0da5da8-1314609731) 1314609731 AhnLab-V3 2011.08.28.00 2011.08.29 Win-Trojan/Npkon.49969 AntiVir 7.11.14.3 2011.08.29 TR/Agent.49969.1 Avast 4.8.1351.0 2011.08.29 Win32:Malware-gen Avast5 5.0.677.0 2011.08.29 Win32:Malware-gen AVG 10.0.0.1190 2011.08.29 Agent3.ACOR ByteHero 1.0.0.1 2011.08.22 Trojan.Win32.Heur.Gen Comodo 9914 2011.08.29 TrojWare.Win32.Trojan.Agent.Gen DrWeb 5.0.2.03300 2011.08.29 BackDoor.Tsclient.1 Emsisoft 5.1.0.10 2011.08.29 Trojan.Agent3!IK GData 22 2011.08.29 Win32:Malware-gen Ikarus T3.1.1.107.0 2011.08.29 Trojan.Agent3 Jiangmin 13.0.900 2011.08.28 Backdoor/DsBot.dov Microsoft 1.7604 2011.08.29 Worm:Win32/Morto.gen!A NOD32 6418 2011.08.29 a variant of Win32/Agent.SYL Panda 10.0.3.5 2011.08.28 Trj/MereDrop.B Sophos 4.68.0 2011.08.29 Mal/Generic-L TheHacker 6.7.0.1.286 2011.08.29 Trojan/Agent.syl ViRobot 2011.8.29.4644 2011.08.29 Backdoor.Win32.DsBot.53076 VirusBuster 14.0.189.0 2011.08.28 Trojan.Agent!MYoVp4jcZjs MD5 : 2eef4d8b88161baf2525abfb6c1bac2b **Created file** clb.dll Submission date:2011-08-28 22:58:34 (UTC) Result:16 /44 (36.4%) http://www.virustotal.com/file-scan/report.html? ----- id=c74b91699e916596884b3833d21825039cf1d200a244fc429341d7723ab1a5f61314572314 AhnLab-V3 2011.08.27.01 2011.08.28 Win-Trojan/Agent21.Gen AntiVir 7.11.14.2 2011.08.28 TR/Agent.6672.5 Avast 4.8.1351.0 2011.08.28 Win32:Malware-gen Avast5 5.0.677.0 2011.08.28 Win32:Malware-gen AVG 10.0.0.1190 2011.08.29 Agent3.AENL DrWeb 5.0.2.03300 2011.08.29 BackDoor.Tsclient.1 Emsisoft 5.1.0.10 2011.08.28 Trojan.Agent3!IK Fortinet 4.2.257.0 2011.08.28 W32/SvcLoad.AJE!tr GData 22 2011.08.29 Win32:Malware-gen Ikarus T3.1.1.107.0 2011.08.28 Trojan.Agent3 Microsoft 1.7604 2011.08.28 Worm:Win32/Morto.gen!A NOD32 6418 2011.08.29 Win32/Agent.SYL Panda 10.0.3.5 2011.08.28 Suspicious file Sophos 4.68.0 2011.08.28 Troj/SvcLoad-A TheHacker 6.7.0.1.286 2011.08.29 Trojan/Agent.syl VIPRE 10300 2011.08.29 Trojan.Win32.Generic!BT MD5 : eb19e7a8cd7dee563a2b7477a7b9037f ## Traffic As you already noted, it is a worm capable of spreading through local area network. Please remember this when running it on a VM attached to any LAN. Take appropriate measures to prevent it from spreading. From what I see, it performs DNS queries using servers that are not in the victim's TCP/IP configuration ----- According to Microsoft (and the samples they analysed ), morto **Contacts remote host** _Worm:Win32/Morto.A connects to the following hosts in order to download additional_ information and update its components: _210.3.38.82_ _74.125.71.104_ _jifr.info_ _jifr.co.cc_ _jifr.co.be_ _qfsl.net_ _qfsl.co.cc_ _qfsl.co.be_ Newly downloaded components are downloaded to a filename that uses the following format: _~MTMP ;4 digits 0-f ;.exe_ **Performs Denial of Service attacks** Morto may be ordered to perform Denial of Service attacks against attacker-specified targets. I have a few additional similar domains The list of recorded domains and IPs (see additional/slightly different list in the Microsoft ----- analysis) **111.68.13.250 =** **[qfsl.net ASIA PACIFIC SERVER COMPANY, Hong Kong -- orders to](http://www.robtex.com/dns/qfsl.net.html)** perform DDoS test **210.3.38.82 Hutchison Global Communications, Hong Kong - Location from where** 160.rar gets downloaded **hx-in-f104.1e100.net =Google.com 74.125.71.104/74.125.115.106 - DoS test is on** Google.com (Google won't "feel" it, it is not really "an attack on Google") Domains **fb1.jifr.net** **fb2.jifr.net** **db1.jifr.net** **db2.jifr.net** **dostest1.qfsl.net** **and etc. as listed on the screenshot below** DNS used (no changes made in TCP/IP settings) victim's preferred DNS **212.76.127.133 Internet Rimon LTD, Israel** **64.68.200.200 easyDNS Technologies, Inc. Toronto** **156.154.71.1 NeuStar, Inc., VA - USA** **8.8.8.8 Google DNS** **209.166.160.36 CONTINENTAL BROADBAND PENNSYLVANIA, INC.** **210.220.163.82 SK Broadband Co Ltd, Korea** **4.2.2.2 Level 3 Communications, Inc** **202.238.96.2 So-net service, Japan** **203.172.246.41 Ministry of Education Network Operation Center, Thailand** **205.171.3.65 Qwest Communications Company, LLC** **210.196.3.183 DION (KDDI CORPORATION)** **163.180.96.54 Kyung Hee University** **202.207.184.3 North China Institute Of Technology** **168.210.2.2 Dimension Data, South Africa** and perhaps others - see the screenshot ----- ======================================= **210.3.38.82 -** **[http://malc0de.com/database/index.php?search=210.3.38.82&IP=on](http://malc0de.com/database/index.php?search=210.3.38.82&IP=on)** Host reachable, 284 ms. average 210.3.0.0 - 210.3.127.255 Hutchison Global Communications Hong Kong ITMM HGC hgcnetwork@hgc.com.hk 9/F Low Block, Hutchison Telecom Tower, 99 Cheung Fai Rd, Tsing Yi, HONG KONG phone: +852-21229555 fax: +852-21239523 ----- **Downloading 160.rar (MD5: 4E69179BB79DE93584E87C4763F6C664 ) = same file that** **Microsoft describes as** Newly downloaded components are downloaded to a filename that uses the following format: _~MTMP 4 digits 0-f.exe_ In my case, these were created and deleted from C\WINDOWS\Temp **Size: 54496** **MD5: 4E69179BB79DE93584E87C4763F6C664** ~MTMP3C32.exe ~MTMP4F62.exe ~MTMP6006.exe ~MTMP9B40.exe ~MTMPA327.exe However, they do not seem to have valid PE headers http://www.virustotal.com/file-scan/report.html? id=f9a12ac987d7737024df78471169d56c1225f31254d3914af8e16a3bbf32daaf-1314580097 [EDIT] See the comments after the post. The file is actually a DLL Size: 54484 MD5: EBB3A5964DA485C0B9E67164B047A7A5 ----- Machine 014Ch i386® Number of Sections 0004h Time Date Stamp 4E536606h 23/08/2011 08:34:14 Pointer to Symbol Table 00000000h Number of Symbols 00000000h Size of Optional Header 00E0h Characteristics 210Eh The file is executable (no unresolved external references) Line numbers are stripped from the file Local symbols are stripped from the file Computer supports 32-bit words The file is a dynamic link library (DLL) Magic 010Bh PE32 Linker Version 0006h 6.0 Size of Code 00001000h Size of Initialized Data 00000A00h Size of Uninitialized Data 00000000h Address of Entry Point 10001D6Ah Base of Code 00001000h Base of Data 00002000h Image Base 10000000h Section Alignment 00001000h File Alignment 00000200h Operating System Version 00000004h 4.0 Image Version 00000000h 0.0 Subsystem Version 00000004h 4.0 Win32 Version Value 00000000h Reserved Size of Image 00005000h 20480 bytes Size of Headers 00000400h Checksum 00000000h Real Image Checksum: 0001B115h Subsystem 0002h Win32 GUI Dll Characteristics 0000h Size of Stack Reserve 00100000h Size of Stack Commit 00001000h Size of Heap Reserve 00100000h Size of Heap Commit 00001000h Loader Flags 00000000h Obsolete Number of Data Directories 00000010h http://www.virustotal.com/file-scan/report.html? [id=2aa8bd7268bac0681da9b5d2019ae678b9ed28f643995ac7a68d8ad4cac780b8-](http://www.virustotal.com/file-scan/report.html?id=2aa8bd7268bac0681da9b5d2019ae678b9ed28f643995ac7a68d8ad4cac780b8-1314701651) 1314701651 ----- ======================================= **hx-in-f104.1e100.net - Google.com 74.125.71.104 or vx-in-f106.1e100.net 74.125.115.106** in another test Traffic to Google (DoS test). The response is Error 400 - invalid request. _That...s an error. Your client has issued a malformed or illegal request. That...s all we know._ ----- ======================================= **qfsl.net** Administrative Contact: DOMAIN WHOIS PROTECTION SERVICE WHOIS AGENT domian@whoisprotectionservices.net +86 02586880037 fax: +86 02586880037 ----- 10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District Nanjing Jiangsu 210012 CN ----- **Registrar History** Date Registrar 2003-01-28 [INWW.com](http://www.melbourneit.com/) 2005-11-23 [DirectNic.com](http://www.directnic.com/) 2006-03-22 Bizcn.com 2008-06-14 eNom GMP Services 2010-05-03 Jiangsu Bangning Science & technology Co. Ltd. ## IP Address History Event Date Action Pre-Action IP Post-Action IP 2005-02-12 Not Resolvable [213.161.76.87](http://whois.domaintools.com/213.161.76.87) -none 2006-03-24 New -none- [61.152.93.70](http://whois.domaintools.com/61.152.93.70) 2006-06-24 Not Resolvable [61.152.93.70](http://whois.domaintools.com/61.152.93.70) -none 2006-10-21 New -none- [61.152.93.70](http://whois.domaintools.com/61.152.93.70) 2007-02-24 Change [61.152.93.70](http://whois.domaintools.com/61.152.93.70) [210.95.31.4](http://whois.domaintools.com/210.95.31.4) 2008-03-30 Not Resolvable [210.95.31.4](http://whois.domaintools.com/210.95.31.4) -none 2008-03-31 New -none- [209.62.72.197](http://whois.domaintools.com/209.62.72.197) 2008-04-13 Change [209.62.72.197](http://whois.domaintools.com/209.62.72.197) [124.42.34.171](http://whois.domaintools.com/124.42.34.171) 2008-05-04 Not Resolvable [124.42.34.171](http://whois.domaintools.com/124.42.34.171) -none 2008-06-13 New -none- [69.64.155.79](http://whois.domaintools.com/69.64.155.79) 2008-06-15 Change [69.64.155.79](http://whois.domaintools.com/69.64.155.79) [69.64.155.136](http://whois.domaintools.com/69.64.155.136) 2008-06-22 Change [69.64.155.136](http://whois.domaintools.com/69.64.155.136) [69.64.155.132](http://whois.domaintools.com/69.64.155.132) 2008-11-16 Change [69.64.155.132](http://whois.domaintools.com/69.64.155.132) [69.64.147.18](http://whois.domaintools.com/69.64.147.18) 2009-03-09 Change [69.64.147.18](http://whois.domaintools.com/69.64.147.18) [69.64.147.212](http://whois.domaintools.com/69.64.147.212) 2009-03-30 Change [69.64.147.212](http://whois.domaintools.com/69.64.147.212) [69.64.147.213](http://whois.domaintools.com/69.64.147.213) 2009-04-06 Change [69.64.147.213](http://whois.domaintools.com/69.64.147.213) [69.64.147.212](http://whois.domaintools.com/69.64.147.212) ----- 2009-04-20 Change [69.64.147.212](http://whois.domaintools.com/69.64.147.212) [69.64.147.213](http://whois.domaintools.com/69.64.147.213) 2009-04-27 Change [69.64.147.213](http://whois.domaintools.com/69.64.147.213) [69.64.147.212](http://whois.domaintools.com/69.64.147.212) 2009-07-27 Not Resolvable [69.64.147.212](http://whois.domaintools.com/69.64.147.212) -none 2010-05-04 New -none- [210.51.7.236](http://whois.domaintools.com/210.51.7.236) 2010-05-23 Change [210.51.7.236](http://whois.domaintools.com/210.51.7.236) [59.188.19.76](http://whois.domaintools.com/59.188.19.76) 2010-10-15 Change [59.188.19.76](http://whois.domaintools.com/59.188.19.76) [58.14.38.169](http://whois.domaintools.com/58.14.38.169) 2010-11-17 Change [58.14.38.169](http://whois.domaintools.com/58.14.38.169) [113.128.1.80](http://whois.domaintools.com/113.128.1.80) 2011-04-10 New -none- [113.128.1.80](http://whois.domaintools.com/113.128.1.80) 2011-05-03 Change [113.128.1.80](http://whois.domaintools.com/113.128.1.80) [113.128.223.131](http://whois.domaintools.com/113.128.223.131) 2011-07-03 Change [113.128.223.131](http://whois.domaintools.com/113.128.223.131) [0.0.0.0](http://whois.domaintools.com/0.0.0.0) 2011-08-10 Not Resolvable [0.0.0.0](http://whois.domaintools.com/0.0.0.0) -none **jifr.net** Registrant Contact: jian fan ren fan ren jian j@163.com +86.01015215412 fax: +86.01012111111 chang an lu 113 hao ma an san an hui 111111 CN **Registrar History** Date Registrar 2011-07-21 Jiangsu Bangning Science & technology Co. Ltd. ## IP Address History We have no record of any IP changes. **111.68.13.250 =** **[qfsl.net ASIA PACIFIC SERVER COMPANY, Hong Kong -- orders to](http://www.robtex.com/dns/qfsl.net.html)** perform DoS test ======================================= **111.68.13.250** ----- 111.68.0.0 - 111.68.15.255 Hollywood Plaza, 610 Nathan Road Hong Kong ASIA PACIFIC SERVER COMPANY - network administrato Hollywood Plaza, 610 Nathan Road, Mong Kong, KLN phone: +85263419611 network@apacserver.com **[Qfsl.net point to](http://www.robtex.com/dns/qfsl.net.html)** [111.68.13.250.](http://www.robtex.com/ip/111.68.13.250.html) Registrant Contact: DOMAIN WHOIS PROTECTION SERVICE WHOIS AGENT domian@whoisprotectionservices.net +86.02586880037 fax: +86.02586880037 10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District Nanjing Jiangsu 210012 CN Created files C:\WINDOWS\Offline Web Pages\1.40_TestDdos - see this in the screenshot below - 6th line from the top C:\WINDOWS\Offline Web Pages\1.60_0823 C:\WINDOWS\Offline Web Pages\2011-08-29 0234 C:\WINDOWS\Offline Web Pages\cache.txt TCP traffic from [111.68.13.250.](http://www.robtex.com/ip/111.68.13.250.html) ----- -----