WORM_MORTO.SM Description

There’s a dangerous malware that spread using Remote Desktop Protocol, as well as traditional worm techniques. There are variants of what was originally known as the WORM_MORTO.SM worm (also detected as WORM_MORTO.SMA). Most WORM_MORTO.SM infections are concentrated in the Asian Pacific and Middle East. WORM_MORTO.SM poses a severe security risk that can be used to steal vital private information or install other malware on the victim’s computer.

This dangerous worm infection drops its files in the Windows folder. The main component of WORM_MORTO.SM is a malicious DLL file named clb.dll which loads WORM_MORTO.SM whenever it is executed. Whenever the Registry Editor is executed, the way that WORM_MORTO.SM is installed ensures that this malicious DLL file is executed first, giving priority to this dangerous malware infection. WORM_MORTO.SM’s payload is actually in an encrypted file which is decrypted whenever this malicious DLL file is executed on the infected computer.

WORM_MORTO.SM’s Payload

Once this file is decrypted, it carries out this malware infection’s main attack, searching for the Remote Desktop Servers used on the infected computer and attempting to use a variety of passwords from a list in order to gain access to it. If these PCs are protected using weak passwords, then WORM_MORTO.SM will infect that computer and make copies of itself on the infected machine. Since Remote Desktop Protocol is used to gain access to a computer remotely, the WORM_MORTO.SM infection concede to criminals the control of the infected computer from afar, often without having to install a backdoor and a Remote Access Trojan on the infected computer. When this occurs on a computer with particularly sensitive information or on a server, this can be devastating.

The main way to protect your computer and your network from WORM_MORTO.SM is by using strong passwords, preferably passwords that are considerably long, containing a mix of characters, numbers and letters and not found on lists of common passwords (such as qwerty12345 or ‘password’). It is also wise to use a secure, encrypted VPN if you plan to use the Remote Desktop Protocol on your computer.

Type: Worms

How Can You Detect WORM_MORTO.SM?

WORM_MORTO.SM Removal Details

WORM_MORTO.SM has typically the following processes in memory:

• %System%\Sens32.dll

WORM_MORTO.SM creates the following files in the system:

• %Windows%\clb.dll.bak
• %Windows%\clb.dl
• %Windows%\Offline Web Pages\cache.txt

WORM_MORTO.SM creates the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\WPA it = “{hex values}”
• HKEY_LOCAL_MACHINE\SYSTEM\WPA sr = “Sens”
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] EnableLUA=0
• c:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
• c:\\winnt\\system32\\rundll32.exe=RUNASADMIN
• e:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
• h:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
• d:\\windows\\system32\\rundll32.exe=RUNASADMIN
• g:\\windows\\system32\\rundll32.exe=RUNASADMIN
• HKEY_LOCAL_MACHINE\SYSTEM\WPA id = “1293D1C15VAVUJTN”
• HKEY_LOCAL_MACHINE\SYSTEM\WPA ie = “%current folder%\{malware name}.exe”
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] ConsentPromptBehaviorAdmin=0
• c:\\windows7\\system32\\rundll32.exe=RUNASADMIN
• c:\\win7\\system32\\rundll32.exe=RUNASADMIN
• d:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
• g:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
• c:\\windows\\system32\\rundll32.exe=RUNASADMIN
• f:\\windows\\system32\\rundll32.exe=RUNASADMIN
• i:\\windows\\system32\\rundll32.exe=RUNASADMIN
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows NoPopUpsOnBoot = “1″
• HKEY_LOCAL_MACHINE\SYSTEM\WPA md = “{garbage code}”
• HKEY_LOCAL_MACHINE\SYSTEM\WPA sn = “6to4″
• [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
• c:\\win2k8\\system32\\rundll32.exe=RUNASADMIN
• c:\\win2008\\system32\\rundll32.exe=RUNASADMIN
• f:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
• i:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
• e:\\windows\\system32\\rundll32.exe=RUNASADMIN
• h:\\windows\\system32\\rundll32.exe=RUNASADMIN

Important Article Disclaimer