# January 2004 to September 2015 **f-secure.com/weblog/archives/00002227.html** [<<<](https://www.f-secure.com/weblog/archives/00002226.html) NEWS FROM THE LAB - Sunday, August 28, 2011 [>>>](https://www.f-secure.com/weblog/archives/00002228.html) **[ARCHIVES |](https://www.f-secure.com/weblog/archives/)** **[SEARCH](https://www.bing.com/search?q=site:f-secure.com/weblog)** **Windows Remote Desktop Worm "Morto"** **Spreading** Posted by Mikko @ 13:23 GMT We don't see that many Internet worms these days. It's mostly just bots and trojans. But we just found a new Internet worm, and it's spreading in the wild. The worm is called **Morto and it infects Windows workstations and servers. It uses a new spreading vector** that we haven't seen before: RDP. RDP stands for Remote Desktop Protocol. Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it. ----- When you connect to another computer with this tool, you can remotely use the computer, just like you'd use a local computer. Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic **for port 3389/TCP, which is the RDP port.** When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords: _admin_ _password_ _server_ _test_ _user_ _pass_ _letmein_ ----- _1234qwer_ _1q2w3e_ _1qaz2wsx_ _aaa_ _abc123_ _abcd1234_ _admin123_ _111_ _123_ _369_ _1111_ _12345_ _111111_ _123123_ _123321_ _123456_ _654321_ _666666_ _888888_ _1234567_ _12345678_ _123456789_ _1234567890_ Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it. The infection will create several new files on the system including **\windows\system32\sens32.dll and** **\windows\offline web pages\cache.txt.** Morto can be controlled remotely. This is done via several alternative servers, including **jaifr.com and qfsl.net.** We've seen several different samples. Some MD5 hashes include: 0c5728b3c22276719561049653c71b84 14284844b9a5aaa680f6be466d71d95b 58fcbc7c8a5fc89f21393eb4c771131d [More discussion on the topic at Technet forums.](http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/31cf740c-818c-4863-8df9-0d9a1d6de6fc) We detect Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B. **Updated to add: here's** [a link to our description.](https://www.f-secure.com/v-descs/worm_w32_morto_a.shtml) -----