Friday, September 02, 2011

Trend Micro: Morto worm infections rising

A Windows computer worm that enables remote desktop access is spreading rapidly, a computer security firm said Friday.

Trend Micro said it is “continuously receiving" reports of infections, including in the Asia-Pacific region, involving WORM_MORTO.SMA.

“Once WORM_MORTO.SM gets loaded, it decrypts a file that contains the malware’s payload. It searches for Remote Desktop Servers associated with the affected system, and attempt to log in as an administrator using a predefined set of passwords. Once a successful connection is established, it drops a copy of WORM_MORTO.SM into a temporary directory in the system," it said in a blog post.

Trend Micro said a cybercriminal can use the worm to access a victim’s entire system remotely - thus a cybercriminal being able to connect grants him/her complete access to the system.

“It appears that the aim of this attack is indeed to give the attacker full control of the affected system and of the whole network, since the malware logs in using an administrator account. Anything can be done in the system at this point, including information theft, especially if the malware infiltrates servers," it said.

According to Trend Micro, the worm drops its component files into the system, including a DLL file into the system’s Windows folder.

The DLL file - clb.dll- is detected as WORM_MORTO.SM, which loads the malware and places its own clb.dll in the %Windows% folder to exploit the way Windows finds its files.

“Windows typically loads the %Windows% folder before %System%, where the legitimate clb.dll is placed. In doing so, the malware’s .DLL file is loaded first whenever regedit.exe is executed," Trend Micro said.

Trend Micro said its software can detect the worm, and block URLs that the malware uses to connect to its servers.

In the meantime, it advised users to use a strong password and enable their firewall.

Also, it advised network administrators to require a secure VPN connection before allowing users to use the Remote Desktop Connection.

No comments:

Post a Comment