W32.Morto

Updated: March 7, 2012 Worm 0 Comment

W32.Morto spreads by utilizing a Remote Desktop Protocol. Worm W32.Morto embeds several encrypted codes into system registry as part of its a payload. It also replaces various DLL with its own code. It was discovered that this worm may download malicious executable files from a remote location to function as backdoor that allows it to gain unauthorized remote access.

To be more familiar with Remote Desktop connection, this is a built-in Windows tool that allows remote user to access the machine as if they are in front of the host desktop. So, if this tool was utilized in a malicious manner, imagine how it endangers the computer from remote attacker. W32.Morto attempts to gain access by exploiting Administrator account with insecure passwords or most probably default user name and passwords. If it gains access with the Administrator account, computer will be compromised to the fullest.

Alias: Win32/Morto.A, W32/Morto.A, Mal/Morto-A, WORM_MORTO.SMA, WORM_MORTO.SM

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
After executing, it will drop a copy of its code on several locations under Windows, Offline Web Pages folder. The worm also creates a bunch of Windows registry subkeys and entries. Then the worm will attempt to contact a remote server to download additional executable file that is believed to be another type of Trojan.

W32.Morto hides its existence by injecting malicious code onto legitimate Windows service svchost.exe. Additionally, it will add a registry entry containing the body of encrypted harmful code.
HKEY_LOCAL_MACHINE\SYSTEM\WPA\md

When the worm is successfully loaded on the target computer, it will search for process that is related to antivirus or any security software. When found, it immediately disables the program by ending the running process and deleting the executable file.

To allow a remote attacker to gain an access on the compromised computer, W32.Morto will try to establish a Remote Desktop Connection using a combination of user name and password list included in the dropped files.

Distribution
This worm will arrive on a system as a file originating from another virus infection. It may also be acquired without user’s knowledge when visiting malicious web sites or legal but infected web pages. Once inside the system, it may drop several copies of the code but there are no reports about W32.Morto spreading locally through removable drives or local area network.

[cf]regis[/cf] [cf]files[/cf]

Recommendations to avoid W32.Morto:

1. Use complex password. It is better to use a combination of letters, numbers and special characters. A good password should be not less than 8 characters long.
2. Since W32.Morto uses “Administrator” account to enter the system, it is advise to deactivate the account and create a new one with Administrative privilege.
3. If not using the port TCP 3389, block it from Windows firewall.
4. Be sure that installed antivirus application is updated. Firewall should be set to “ON” at all times and only default ports are allowed.

How to Remove W32.Morto

Restore Windows Components

During an infection, W32.Morto drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.

Manual Removal Procedure

1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.

2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.

3. Run a full system scan and clean/delete all infected files related to W32.Morto.

4. Delete or modify any values added by W32.Morto to the registry if present. Please see the reference.
- To edit the registry, click on Start > Run and type regedit.exe in the field.
- Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.

5. Exit registry editor when done. You may now restart the computer.

Removal Tool

A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses and Trojans.

Alternative Removal Method for W32.Morto

Option 1 : Use Windows System Restore to return Windows to previous state

If W32.Morto enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Morto infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.

Option 2 : W32.Morto manual uninstall guide

IMPORTANT! Manual removal of W32.Morto requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to W32.Morto.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Morto files (refer to Technical Reference) and click End Process.

End Task

2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.

Run Regedit

3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.

4. Delete all files dropped by W32.Morto.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

Technical Reference

Associated Files and Folders:

File Location for Windows Versions:

%System% for all versions of Windows it is located under C:\Windows\System32

%Windir% refers to the installation folder of the operating system.

Added Registry Entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\AppCompatFlags\Layers\"[drive letter]:\\windows\\system32\\rundll32.exe" = "RUNASADMIN"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\AppCompatFlags\Layers\"[drive letter]:\\winnt\\system32\\rundll32.exe" = "RUNASADMIN"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\AppCompatFlags\Layers\"[drive letter]:\\win2008\\system32\\rundll32.exe" = "RUNASADMIN"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\AppCompatFlags\Layers\"[drive letter]:\\win2k8\\system32\\rundll32.exe" = "RUNASADMIN"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\AppCompatFlags\Layers\"[drive letter]:\\win7\\system32\\rundll32.exe" = "RUNASADMIN"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\AppCompatFlags\Layers\"[drive letter]:\\windows7\\system32\\rundll32.exe" = "RUNASADMIN"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\"NoPopUpsOnBoot" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\"PendingFileRenameOperations" = "multi:"\00""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6to4\"@" = "Service"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Policies\System\"ConsentPromptBehaviorAdmin" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Policies\System\"EnableLUA" = "0"