{
	"id": "ad07fb14-e135-499f-94dd-e37297df0e41",
	"created_at": "2026-04-06T00:19:26.706157Z",
	"updated_at": "2026-04-10T03:20:32.072936Z",
	"deleted_at": null,
	"sha1_hash": "de063d40e5fcb4b10d1d89886ec9f41d728e516d",
	"title": "Aug 28 Morto / Tsclient - RDP worm with DDoS features",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1067880,
	"plain_text": "Aug 28 Morto / Tsclient - RDP worm with DDoS features\r\nArchived: 2026-04-05 17:30:45 UTC\r\n \r\nAccording to Microsoft, Morto is a worm that spreads by trying to compromise (lame) administrator passwords\r\nfor Remote Desktop connections on a network. They also note it can perform Denial of Service attacks against\r\nattacker-specified targets. \r\nI can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of\r\ntraffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control\r\nservers.\r\nJudging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be\r\ncybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with \r\nJiangsu Bangning Science \u0026 technology Co. Ltd.in China. One of the domains existed for a few years and\r\nchanged several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common\r\nin China (I don't have stats for other Asian countries but I am guessing common there too :)\r\nI want to thank jsunpack.jeek.org and malc0de.com for the sample.\r\nExpert analysis has been done already and I won't repeat it. I ran the sample posted and it does what the links\r\nbelow describe\r\nExcerpt from Microsoft:\r\nThe malware consists of several components, including an executable dropper component (the\r\ninstaller), and a DLL component which performs the payload.\r\nWhen the dropper is executed, the DLL component is installed to the Windows directory as clb.dll. If\r\nupdated by the malware, backups are created as clb.dll.bak.The executable component also writes\r\nencrypted code to the registry key HKLM\\SYSTEM\\WPA\\md and exits.\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 1 of 14\n\nThe name clb.dll is chosen because it is the name of a real DLL (located in the System directory), which\r\nis used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once\r\nregedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in\r\nwhich Windows searches for files (i.e. the Windows directory is searched before the System directory).\r\nThis dll has encrypted configuration information appended to it in order to download and execute new\r\ncomponents.\r\nThe following additional files are also created:\r\n%windows%\\temp\\ntshrui.dll\r\n\\sens32.dll\r\nc:\\windows\\offline web pages\\cache.txt\r\nSome screenshots\r\ncontents of cache.txt in offline web pages folder\r\nThey may be replaced later on with malicious components which are downloaded to:\r\nc:\\windows\\offline web pages\\cache.txt\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 2 of 14\n\nGeneral File Information\r\nMD5: 2eef4d8b88161baf2525abfb6c1bac2b\r\nFile Type: EXE\r\nInfection Vector: RDP\r\nDownload\r\nAutomated Scans\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 3 of 14\n\n2eef4d8b88161baf2525abfb6c1bac2b.exe\r\nResult:19 /44 (43.2%)\r\n  http://www.virustotal.com/file-scan/report.html?\r\nid=3d84a7395b23bc363a52a2028cea6cedb8ea4011ebc63865581c35aaa0da5da8-1314609731 \r\nAhnLab-V3     2011.08.28.00     2011.08.29     Win-Trojan/Npkon.49969\r\nAntiVir     7.11.14.3     2011.08.29     TR/Agent.49969.1\r\nAvast     4.8.1351.0     2011.08.29     Win32:Malware-gen\r\nAvast5     5.0.677.0     2011.08.29     Win32:Malware-gen\r\nAVG     10.0.0.1190     2011.08.29     Agent3.ACOR\r\nByteHero     1.0.0.1     2011.08.22     Trojan.Win32.Heur.Gen\r\nComodo     9914     2011.08.29     TrojWare.Win32.Trojan.Agent.Gen\r\nDrWeb     5.0.2.03300     2011.08.29     BackDoor.Tsclient.1\r\nEmsisoft     5.1.0.10     2011.08.29     Trojan.Agent3!IK\r\nGData     22     2011.08.29     Win32:Malware-gen\r\nIkarus     T3.1.1.107.0     2011.08.29     Trojan.Agent3\r\nJiangmin     13.0.900     2011.08.28     Backdoor/DsBot.dov\r\nMicrosoft     1.7604     2011.08.29     Worm:Win32/Morto.gen!A\r\nNOD32     6418     2011.08.29     a variant of Win32/Agent.SYL\r\nPanda     10.0.3.5     2011.08.28     Trj/MereDrop.B\r\nSophos     4.68.0     2011.08.29     Mal/Generic-L\r\nTheHacker     6.7.0.1.286     2011.08.29     Trojan/Agent.syl\r\nViRobot     2011.8.29.4644     2011.08.29     Backdoor.Win32.DsBot.53076\r\nVirusBuster     14.0.189.0     2011.08.28     Trojan.Agent!MYoVp4jcZjs\r\nMD5   : 2eef4d8b88161baf2525abfb6c1bac2b\r\nCreated file\r\nclb.dll\r\nSubmission date:2011-08-28 22:58:34 (UTC)\r\nResult:16 /44 (36.4%)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=c74b91699e916596884b3833d21825039cf1d200a244fc429341d7723ab1a5f6-1314572314\r\nAhnLab-V3     2011.08.27.01     2011.08.28     Win-Trojan/Agent21.Gen\r\nAntiVir     7.11.14.2     2011.08.28     TR/Agent.6672.5\r\nAvast     4.8.1351.0     2011.08.28     Win32:Malware-gen\r\nAvast5     5.0.677.0     2011.08.28     Win32:Malware-gen\r\nAVG     10.0.0.1190     2011.08.29     Agent3.AENL\r\nDrWeb     5.0.2.03300     2011.08.29     BackDoor.Tsclient.1\r\nEmsisoft     5.1.0.10     2011.08.28     Trojan.Agent3!IK\r\nFortinet     4.2.257.0     2011.08.28     W32/SvcLoad.AJE!tr\r\nGData     22     2011.08.29     Win32:Malware-gen\r\nIkarus     T3.1.1.107.0     2011.08.28     Trojan.Agent3\r\nMicrosoft     1.7604     2011.08.28     Worm:Win32/Morto.gen!A\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 4 of 14\n\nNOD32     6418     2011.08.29     Win32/Agent.SYL\r\nPanda     10.0.3.5     2011.08.28     Suspicious file\r\nSophos     4.68.0     2011.08.28     Troj/SvcLoad-A\r\nTheHacker     6.7.0.1.286     2011.08.29     Trojan/Agent.syl\r\nVIPRE     10300     2011.08.29     Trojan.Win32.Generic!BT\r\nMD5   : eb19e7a8cd7dee563a2b7477a7b9037f\r\nTraffic\r\nAs you already noted, it is a worm capable of spreading through local area network. Please remember this when\r\nrunning it on a VM attached to any LAN. Take appropriate measures to prevent it from spreading.\r\nFrom what I see, it performs DNS queries using servers that are not in the victim's TCP/IP configuration \r\nAccording to Microsoft (and the samples they analysed ), morto\r\nContacts remote host\r\nWorm:Win32/Morto.A connects to the following hosts in order to download additional information and\r\nupdate its components:\r\n210.3.38.82\r\n74.125.71.104\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 5 of 14\n\njifr.info\r\njifr.co.cc\r\njifr.co.be\r\nqfsl.net\r\nqfsl.co.cc\r\nqfsl.co.be\r\nNewly downloaded components are downloaded to a filename that uses the following format:\r\n~MTMP ;4 digits 0-f ;.exe\r\nPerforms Denial of Service attacks\r\nMorto may be ordered to perform Denial of Service attacks against attacker-specified targets.\r\nI have a few additional similar domains\r\n The list of recorded domains and IPs (see additional/slightly different list in the Microsoft analysis)\r\n111.68.13.250  = qfsl.net     ASIA PACIFIC SERVER COMPANY, Hong Kong  -- orders to perform DDoS\r\ntest\r\n210.3.38.82                          Hutchison Global Communications, Hong Kong  - Location from where\r\n160.rar gets downloaded\r\nhx-in-f104.1e100.net =  Google.com 74.125.71.104/74.125.115.106  - DoS test is on Google.com (Google\r\nwon't \"feel\" it, it is not really \"an attack on Google\")\r\nDomains\r\nfb1.jifr.net \r\nfb2.jifr.net          \r\ndb1.jifr.net\r\ndb2.jifr.net\r\ndostest1.qfsl.net\r\nand etc. as listed on the screenshot below\r\nDNS used (no changes made in TCP/IP settings)\r\nvictim's preferred  DNS \r\n212.76.127.133             Internet Rimon LTD, Israel \r\n64.68.200.200               easyDNS Technologies, Inc. Toronto\r\n156.154.71.1                 NeuStar, Inc., VA - USA\r\n8.8.8.8                           Google DNS\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 6 of 14\n\n209.166.160.36            CONTINENTAL BROADBAND PENNSYLVANIA, INC.\r\n210.220.163.82             SK Broadband Co Ltd, Korea\r\n4.2.2.2                           Level 3 Communications, Inc\r\n202.238.96.2                 So-net service, Japan\r\n203.172.246.41            Ministry of Education Network Operation Center, Thailand\r\n205.171.3.65                Qwest Communications Company, LLC\r\n210.196.3.183              DION (KDDI CORPORATION)\r\n163.180.96.54              Kyung Hee University\r\n202.207.184.3              North China Institute Of Technology\r\n168.210.2.2                  Dimension Data, South Africa\r\nand perhaps others - see the screenshot\r\n =======================================\r\nHost reachable, 284 ms. average\r\n210.3.0.0 - 210.3.127.255\r\nHutchison Global Communications\r\nHong Kong\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 7 of 14\n\nITMM HGC\r\nhgcnetwork@hgc.com.hk\r\n9/F Low Block ,\r\nHutchison Telecom Tower,\r\n99 Cheung Fai Rd, Tsing Yi,\r\nHONG KONG\r\nphone: +852-21229555\r\nfax: +852-21239523\r\nDownloading 160.rar (MD5:  4E69179BB79DE93584E87C4763F6C664 ) = same file that Microsoft\r\ndescribes as\r\nNewly downloaded components are downloaded to a filename that uses the following format:\r\n~MTMP 4 digits 0-f.exe\r\nIn my case, these were created and deleted from C\\WINDOWS\\Temp\r\nSize: 54496\r\nMD5:  4E69179BB79DE93584E87C4763F6C664\r\n~MTMP3C32.exe\r\n~MTMP4F62.exe\r\n~MTMP6006.exe\r\n~MTMP9B40.exe\r\n~MTMPA327.exe\r\nHowever, they do not seem to have valid PE headers\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=f9a12ac987d7737024df78471169d56c1225f31254d3914af8e16a3bbf32daaf-1314580097\r\n[EDIT] See the comments after the post. The file is actually a DLL\r\nSize: 54484\r\nMD5:  EBB3A5964DA485C0B9E67164B047A7A5\r\n \r\n  Machine                      014Ch       i386®\r\n Number of Sections           0004h       \r\n Time Date Stamp              4E536606h   23/08/2011  08:34:14\r\n Pointer to Symbol Table      00000000h   \r\n Number of Symbols            00000000h   \r\n Size of Optional Header      00E0h       \r\n Characteristics              210Eh       The file is executable (no unresolved external references)\r\n                                          Line numbers are stripped from the file\r\n                                          Local symbols are stripped from the file\r\n                                          Computer supports 32-bit words\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 8 of 14\n\nThe file is a dynamic link library (DLL)\r\n Magic                        010Bh       PE32\r\n Linker Version               0006h       6.0\r\n Size of Code                 00001000h   \r\n Size of Initialized Data     00000A00h   \r\n Size of Uninitialized Data   00000000h   \r\n Address of Entry Point       10001D6Ah   \r\n Base of Code                 00001000h   \r\n Base of Data                 00002000h   \r\n Image Base                   10000000h   \r\n Section Alignment            00001000h   \r\n File Alignment               00000200h   \r\n Operating System Version     00000004h   4.0\r\n Image Version                00000000h   0.0\r\n Subsystem Version            00000004h   4.0\r\n Win32 Version Value          00000000h   Reserved\r\n Size of Image                00005000h   20480 bytes\r\n Size of Headers              00000400h   \r\n Checksum                     00000000h   Real Image Checksum: 0001B115h\r\n Subsystem                    0002h       Win32 GUI\r\n Dll Characteristics          0000h       \r\n Size of Stack Reserve        00100000h   \r\n Size of Stack Commit         00001000h   \r\n Size of Heap Reserve         00100000h   \r\n Size of Heap Commit          00001000h   \r\n Loader Flags                 00000000h   Obsolete\r\n Number of Data Directories   00000010h   \r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=2aa8bd7268bac0681da9b5d2019ae678b9ed28f643995ac7a68d8ad4cac780b8-1314701651\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 9 of 14\n\n=======================================\r\nhx-in-f104.1e100.net - Google.com 74.125.71.104 or vx-in-f106.1e100.net 74.125.115.106 in another test\r\nTraffic to Google (DoS test). The response is Error 400 - invalid request.\r\nThat...s an error. Your client has issued a malformed or illegal request.  That...s all we know.\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 10 of 14\n\n=======================================\r\nqfsl.net\r\nAdministrative Contact:\r\n   DOMAIN WHOIS PROTECTION SERVICE\r\n   WHOIS AGENT domian@whoisprotectionservices.net\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 11 of 14\n\n+86.02586880037  fax: +86.02586880037\r\n   10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District\r\n   Nanjing Jiangsu 210012\r\n   CN \r\nRegistrar History\r\nDate Registrar\r\n2003-01-28 INWW.com\r\n2005-11-23 DirectNic.com\r\n2006-03-22 Bizcn.com\r\n2008-06-14 eNom GMP Services\r\n2010-05-03 Jiangsu Bangning Science \u0026 technology Co. Ltd.\r\n jifr.net\r\nRegistrant Contact:\r\n   jian fan ren\r\n   fan ren jian j@163.com\r\n   +86.01015215412  fax: +86.01012111111\r\n   chang an lu 113 hao\r\n   ma an san an hui 111111\r\n   CN \r\nRegistrar History\r\nDate Registrar\r\n2011-07-21 Jiangsu Bangning Science \u0026 technology Co. Ltd. \r\nIP Address History\r\nWe have no record of any IP changes.\r\n111.68.13.250  = qfsl.net     ASIA PACIFIC SERVER COMPANY, Hong Kong  -- orders to perform DoS test \r\n =======================================\r\n111.68.13.250\r\n111.68.0.0 - 111.68.15.255\r\nHollywood Plaza, 610 Nathan Road\r\nHong Kong\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 12 of 14\n\nASIA PACIFIC SERVER COMPANY - network administrato\r\nHollywood Plaza, 610 Nathan Road, Mong Kong, KLN\r\nphone: +85263419611\r\nnetwork@apacserver.com\r\n Qfsl.net point to 111.68.13.250.\r\nRegistrant Contact:\r\n   DOMAIN WHOIS PROTECTION SERVICE\r\n   WHOIS AGENT domian@whoisprotectionservices.net\r\n   +86.02586880037  fax: +86.02586880037\r\n   10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District\r\n   Nanjing Jiangsu 210012\r\n   CN\r\nCreated files\r\nC:\\WINDOWS\\Offline Web Pages\\1.40_TestDdos  - see this in the screenshot below - 6th line from the top\r\nC:\\WINDOWS\\Offline Web Pages\\1.60_0823\r\nC:\\WINDOWS\\Offline Web Pages\\2011-08-29 0234\r\nC:\\WINDOWS\\Offline Web Pages\\cache.txt TCP  traffic from 111.68.13.250.\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 13 of 14\n\nSource: http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nhttp://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html"
	],
	"report_names": [
		"aug-28-morto-tsclient-rdp-worm-with.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434766,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de063d40e5fcb4b10d1d89886ec9f41d728e516d.pdf",
		"text": "https://archive.orkl.eu/de063d40e5fcb4b10d1d89886ec9f41d728e516d.txt",
		"img": "https://archive.orkl.eu/de063d40e5fcb4b10d1d89886ec9f41d728e516d.jpg"
	}
}