By Andrew Brandt
The past couple of days have been very busy for a lot of people, following the announcement by Microsoft that they had discovered a new network worm called Morto. After reading the refreshingly thorough writeup about Morto from both Microsoft and our partner Sophos, we were surprised to find that a few of our customers had been infected — and cleaned up — beginning with some poor schlub in South Africa as early as July 23rd, but the worm kicked into high gear last Thursday and began to propagate rapidly.
But, as much as the technical details in these posts are useful for researchers and analysts, they don’t really get to the heart of how a user of an infected computer would be affected by the worm. So, after spending a bit of time infecting some of my own machines these past couple days, I wanted to share my hands-on experience with you.
Bottom line, the worm was written to spread to (and infect) the computers run by people who don’t take security seriously: It copies itself to other computers by trying to Remote Desktop into those computers using a list of what can only be described as completely moronic passwords (the full list is on Microsoft’s technical writeup about the worm). The repurcussions are that people (or companies) who use poor quality, easily guessed passwords have been (or are going to get) spanked by Morto, and then they’ll be really irritated at the (reversible but obnoxious) changes the worm makes to the behavior of the infected computer.
The Morto worm (and yes, I do keep calling it Morbo, thanks for asking) has been specially designed to mimic the appearance of a legitimate Windows DLL, also named clb.dll. For that reason, we urge you not to just search for, and delete, any file with the same name. If you do, you’ll either (a) break some key Column List Box Windows functionality or (b) find yourself unable to delete the file, because Windows File Protection will just keep restoring it. In fact, the two files are close in size (the legit file is slightly larger), but the big difference is that the legit DLL resides in the system32 folder, not right in the root of c:\Windows, which is where Mor
bto prefers to hide. The legit DLL also has version information in the Properties, as shown on the left of the screenshot above (click to enlarge).
The worm reportedly is delivered as a drive-by download, but I haven’t seen that in action. Upon infection, the worm grabs a payload named 160.rar — it has a .rar extension but is a 32-bit portable executable with twelve bytes of junk data prepended to the PE header. Presumably a script strips that junk out of the file to make it executable on the target system; We just use ye olde Delete key (that’s a technical term) in a hex editor to accomplish the same thing.
The most immediate behavior that will cause problems is the worm’s tendency to log the current user out of their computer. Repeatedly. The worm’s installer sets several load points in the Registry so it starts with Windows, but after a few minutes, it leaves the computer (and itself) running but the user logged out. Man, that’s irritating. That behavior is closely followed by the repeated attempts to log into nearby computers, and the fact that the worm pulls down a 54496-byte payload every 16 seconds or so. The downloads and multiple RDP login attempts, especially if they’re successful even some of the time, can flood a network with worm traffic as the worm tries (and, hopefully, repeatedly fails) to propagate.
We saw the worm repeatedly look up the domain dostest1.qfsl.net in DNS, which suggests that a denial of service is exactly what this worm’s creator intended. That said, when I looked up the domain WHOIS registration data, it returned some odd results:
These so-called privacy services aren’t new or anything. The funky thing about this is that the domain whoisprotectionservices.net doesn’t seem to exist — it hasn’t ever been registered – so this is a forged WHOIS record made to look like a private WHOIS record. Maybe next time you can spell “domain” right, losers.
According to ICANN rules, that’s enough to merit the site being taken offline. I was also shocked, shocked to discover that the registrar, Jiangsu Bangning Science & Technology Co. Ltd – a registrar where more than half its domains are blacklisted as sources of malware – is not making any effort at all to disable the domain. Did I mention I was shocked, and also surprised?
The dostest1.qfsl.net domain, hosted by a company in Hong Kong, appears to be offline. Yeah, I’m all broken up about it. Unfortunately the worm doesn’t care, and meanwhile, even though the subdomain is offline, the domain is still live.
But even that isn’t as irritating as the changes the worm makes to the Explorer shell and the way you interact with it. For instance, on one of my test machines, the worm changed the default behavior of the left mouse button — you know, the one you click almost everything with. Instead of defaulting to the “open” behavior when you double-click an icon on the desktop or in a folder, the worm changes the default behavior to “open the Properties sheet.”
In my case, I found a simple fix (at least, for XP users): Open the Mouse control panel, and fill, then clear, the “Switch primary and secondary buttons” checkbox, then click OK. After I did that, the mouse button reverted to its normal behavior — at least until the system reboots.
But don’t get too cocky about reversing the worm’s changes: The worm’s hooks into the Explorer shell seemed to cause long periods where the computer doesn’t respond.
The worm sets some of its configuration data inside the Registry key beneath the HKLM\SYSTEM\WPA key hive. That’s also where Windows stores some critical information, including the hash value of the CD Key you use to install Windows. Not a good place to play, unless you consider the fact that Windows itself protects that portion of the Registry and prevents deletion of any keys in there. Nice place to stash some data you wouldn’t want any old antivirus program to delete.
The worm also seems to interact with the .Net installation on the infected computer, such that on the infected computer .Net will generate a large number of new files and registry keys. What the point of this isn’t clear; Many of the registry keys and files seem to have nothing to do with the worm, and may just be a distraction.
I also noted that the worm prevents you from browsing a directory that you normally can: The Offline Web Pages folder, inside the Windows folder, is one of those “magic” folders Windows displays differently than normal folders.
Both our current generation of products, including WISC and WAV, and our upcoming new release (currently in a closed beta) are able to easily remediate the infections caused by Morto. But we can’t make you choose stronger passwords for your Remote Desktop accounts. You need to do that all by yourself, using the list of those employed by Morto as a what-not-to-do guideline.