RDP Worm Morto.A

August 31, 2011

SonicWALL UTM Research team received reports of a new internet worm propagating in the wild. This worm targets Remote Desktop Protocol (RDP) and has the capability to download additional malicious components, terminate Antivirus related security processes and services, perform Denial-of-Service attack (DDOS) and can be remotely controlled from a malicious server.

Process of Infection:

This worm targets machines via Remote Desktop Protocol (RDP) by compromising weak administrator passwords. Once a system is infected, it will scan the local network for RDP connections through port 3389. It uses a set of usernames and passwords to gain access to these RDP machines and infects them.


This worm has three components: Main executable, DLL loader, and the payload.

Main Executable

The main executable drops the DLL loader ntshrui.dll on %windir%/temp directory and copies it as clb.dll on %windir% directory.

It adds the following registry entries as part of its installation:


It then deletes the following registry to remove its tracks:

  • HKCU "SoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU"

The DLL loader clb.dll located at %windir% directory is loaded once the malware spawns the process Registry Editor (regedit.exe).

There is a legitimate DLL file clb.dll located in %windir%/system32 directory that regedit.exe actually uses. But because of the design of how windows loads files, wherein it will look for them at %windir% directory first before looking at %windir%/system32, the malware component clb.dll will in effect be loaded instead of the legitimate one.

DLL Loader

After getting loaded by the process regedit, it will decrypt the payload DLL and loads it to memory. It will also perform the following activities:

    Added Registry:

    Key: HKLMSYSTEMCurrentControlSetControlWindows
    Value: "NoPopUpsOnBoot"
    Data: "1"

    Key: HKLMSYSTEMCurrentControlSetServices6to4Parameters
    Value: "ServiceDll"
    Data: "%windir%temp ntshrui.dll"

    Modified Registry:

    Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSENSParameters
    Value: ServiceDll
    Data Before: %SystemRoot%system32sens.dll Data After: %SystemRoot%system32sens32.dll

    Added Files:

    %windir%offline web pages{Current Date}
    %windir%offline web pages1.40_testDdos
    %windir%offline web pagescache.txt - blocked as [ GAV: Morto.A_2 (Trojan) ]
    %windir%system32sens32.dll - blocked as [ GAV: Morto.A_2 (Trojan) ]

DLL Payload

The malware attempts to connect to RDP servers on local network through port 3389 using administrator accounts. Some of the accounts are shown below:


It will copy the following files on the RDP workstations through \tsclienta.

  • \tsclientaa.dll - blocked as [ GAV: Morto.A_2 (Trojan) ]
  • \tsclientar.reg

Contents of the file r.reg is shown below which ensures rundll32.exe will run the malware with administrator privileges and without prompting for user for permission for any system changes:


    [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCuurrentVersionAppCompatFlagsLayers]



Once files have been copied to RDP workstations, the malware will run those with the following commands:

  • "regedit /s \tsclientar.reg"
  • "rundll32 \tsclientaa.dll a"

It also terminates the following services related to AV security softwares:

  • 360rp
  • a2service
  • ArcaConfSV
  • AvastSvc
  • avguard
  • avgwdsvc
  • avp
  • avpmapp
  • ccSvcHst
  • cmdagent
  • coreService
  • FortiScand
  • FPAVServer
  • freshclam
  • fsdfwd
  • GDFwSvc
  • K7RTScan
  • knsdave
  • KVSrvXP
  • kxescore
  • mcshield
  • MPSvc
  • MsMpEng
  • PavFnSvr
  • RavMonD
  • SavService
  • scanwscs
  • Shell
  • SpySweeper
  • Vba32Ldr
  • vsserv
  • zhudongfangyu

Network Activities:

The malware tries to contact the following URLs:

  • qf{REMOVED}.net
  • ms.ji{REMOVED}nfo
  • ms.ji{REMOVED}o.cc
  • ms.ji{REMOVED}o.be

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Morto.A (Worm)
GAV: Morto.A_2 (Trojan)