We’ve recently seen a new strain of Morto that serves as a timely reminder to users of the importance of using strong passwords. In the past we’ve seen Win32/Morto compromising Remote Desktop connections by exploiting weak administrator passwords. This new strain of Morto (detected as Virus:Win32/Morto.A) makes the same attempt, but has added file infection to its arsenal.

Morto attempts to infect files in the default RDP file share ‘\\tsclient’ by enumerating all the possible drives it can connect to. (for example, \\tsclient\<a-z>\*.* )

In addition to this, Morto uses the same routine but targets all shared drives on the network. (for example, \\ <ip_address> \<a-z>$\*.* )

Morto infects .EXE files found on fixed and removable drives as well as on default RDP and Administrative shares, but avoids infecting files that contain strings like 'windows', 'winnt', 'qq', 'Outlook', 'System Volume Information' or 'RECYCLER' in their path. Morto also leaves an infection marker, 'PPIF' in infected files.

Like earlier memory resident viruses, Morto's payload and infection routine is executed in the context of other processes (svchost.exe and/or lsass.exe – the target of process injection). To avoid multiple injections in the same process (or running multiple copies of the virus), a mutex called "Global\_PPIftSvc" is created.

Morto stores its payload in the registry; it also has the ability to download additional or updated instructions from a remote host. It downloads and decrypts a file, and stores the resulting routine in the registry, executing it later on.

To help prevent infection, and consequent re-infection, we recommend making sure that your organization uses strong passwords for administrator and user accounts, and verifying that you do not use passwords like those being used by the malware in order to spread.
 
Edgardo Diaz Jr
MMPC