According to Microsoft, Morto is a worm that spreads by trying to compromise (lame) administrator passwords for Remote Desktop connections on a network. They also note it can perform Denial of Service attacks against attacker-specified targets.
I can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of traffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control servers.
Judging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be cybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with Jiangsu Bangning Science & technology Co. Ltd.in China. One of the domains existed for a few years and changed several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common in China (I don't have stats for other Asian countries but I am guessing common there too :)
I want to thank jsunpack.jeek.org and malc0de.com for the sample.
Expert analysis has been done already and I won't repeat it. I ran the sample posted and it does what the links below describe
Excerpt from Microsoft:
The malware consists of several components, including
an executable dropper component (the installer), and a DLL component
which performs the payload.
When the dropper is executed, the DLL component is installed to the Windows directory as clb.dll. If updated by the malware, backups are created as clb.dll.bak.The executable component also writes encrypted code to the registry key HKLM\SYSTEM\WPA\md and exits.
The name clb.dll is chosen because it is the name of a real DLL (located in the System directory), which is used by regedit. To load this malware DLL, a regedit process is spawned by the malware. Once regedit is executed, it loads the malicious clb.dll preferentially over the real clb.dll due to the way in which Windows searches for files (i.e. the Windows directory is searched before the System directory). This dll has encrypted configuration information appended to it in order to download and execute new components.
The following additional files are also created:
%windows%\temp\ntshrui.dll
\sens32.dll
c:\windows\offline web pages\cache.txt
Some screenshots
contents of cache.txt in offline web pages folder
They may be replaced later on with malicious components which are downloaded to:
c:\windows\offline web pages\cache.txt
General File Information
MD5: 2eef4d8b88161baf2525abfb6c1bac2b
File Type: EXE
Infection Vector: RDP
Download
Download 2eef4d8b88161baf2525abfb6c1bac2b and the created files as a password protected archive (contact me if you need the password)(with many thanks to jsunpack.jeek.org and malc0de.com)
Automated Scans
2eef4d8b88161baf2525abfb6c1bac2b.exe
Result:19 /44 (43.2%)
http://www.virustotal.com/file-scan/report.html?id=3d84a7395b23bc363a52a2028cea6cedb8ea4011ebc63865581c35aaa0da5da8-1314609731
AhnLab-V3 2011.08.28.00 2011.08.29 Win-Trojan/Npkon.49969
AntiVir 7.11.14.3 2011.08.29 TR/Agent.49969.1
Avast 4.8.1351.0 2011.08.29 Win32:Malware-gen
Avast5 5.0.677.0 2011.08.29 Win32:Malware-gen
AVG 10.0.0.1190 2011.08.29 Agent3.ACOR
ByteHero 1.0.0.1 2011.08.22 Trojan.Win32.Heur.Gen
Comodo 9914 2011.08.29 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.2.03300 2011.08.29 BackDoor.Tsclient.1
Emsisoft 5.1.0.10 2011.08.29 Trojan.Agent3!IK
GData 22 2011.08.29 Win32:Malware-gen
Ikarus T3.1.1.107.0 2011.08.29 Trojan.Agent3
Jiangmin 13.0.900 2011.08.28 Backdoor/DsBot.dov
Microsoft 1.7604 2011.08.29 Worm:Win32/Morto.gen!A
NOD32 6418 2011.08.29 a variant of Win32/Agent.SYL
Panda 10.0.3.5 2011.08.28 Trj/MereDrop.B
Sophos 4.68.0 2011.08.29 Mal/Generic-L
TheHacker 6.7.0.1.286 2011.08.29 Trojan/Agent.syl
ViRobot 2011.8.29.4644 2011.08.29 Backdoor.Win32.DsBot.53076
VirusBuster 14.0.189.0 2011.08.28 Trojan.Agent!MYoVp4jcZjs
MD5 : 2eef4d8b88161baf2525abfb6c1bac2b
Created file
clb.dll
Submission date:2011-08-28 22:58:34 (UTC)
Result:16 /44 (36.4%)
http://www.virustotal.com/file-scan/report.html?id=c74b91699e916596884b3833d21825039cf1d200a244fc429341d7723ab1a5f6-1314572314
AhnLab-V3 2011.08.27.01 2011.08.28 Win-Trojan/Agent21.Gen
AntiVir 7.11.14.2 2011.08.28 TR/Agent.6672.5
Avast 4.8.1351.0 2011.08.28 Win32:Malware-gen
Avast5 5.0.677.0 2011.08.28 Win32:Malware-gen
AVG 10.0.0.1190 2011.08.29 Agent3.AENL
DrWeb 5.0.2.03300 2011.08.29 BackDoor.Tsclient.1
Emsisoft 5.1.0.10 2011.08.28 Trojan.Agent3!IK
Fortinet 4.2.257.0 2011.08.28 W32/SvcLoad.AJE!tr
GData 22 2011.08.29 Win32:Malware-gen
Ikarus T3.1.1.107.0 2011.08.28 Trojan.Agent3
Microsoft 1.7604 2011.08.28 Worm:Win32/Morto.gen!A
NOD32 6418 2011.08.29 Win32/Agent.SYL
Panda 10.0.3.5 2011.08.28 Suspicious file
Sophos 4.68.0 2011.08.28 Troj/SvcLoad-A
TheHacker 6.7.0.1.286 2011.08.29 Trojan/Agent.syl
VIPRE 10300 2011.08.29 Trojan.Win32.Generic!BT
MD5 : eb19e7a8cd7dee563a2b7477a7b9037f
Traffic
As you already noted, it is a worm capable of spreading through local area network. Please remember this when running it on a VM attached to any LAN. Take appropriate measures to prevent it from spreading.
From what I see, it performs DNS queries using servers that are not in the victim's TCP/IP configuration
According to Microsoft (and the samples they analysed ), morto
Contacts remote host
Worm:Win32/Morto.A connects to the following hosts in order to download additional information and update its components:
210.3.38.82
74.125.71.104
jifr.info
jifr.co.cc
jifr.co.be
qfsl.net
qfsl.co.cc
qfsl.co.be
Newly downloaded components are downloaded to a filename that uses the following format:
~MTMP ;4 digits 0-f ;.exe
Performs Denial of Service attacks
Morto may be ordered to perform Denial of Service attacks against attacker-specified targets.
I have a few additional similar domains
The list of recorded domains and IPs (see additional/slightly different list in the Microsoft analysis)
- 111.68.13.250 = qfsl.net ASIA PACIFIC SERVER COMPANY, Hong Kong -- orders to perform DDoS test
- 210.3.38.82 Hutchison Global Communications, Hong Kong - Location from where 160.rar gets downloaded
- hx-in-f104.1e100.net = Google.com 74.125.71.104/74.125.115.106 - DoS test is on Google.com (Google won't "feel" it, it is not really "an attack on Google")
Domains
- fb1.jifr.net
- fb2.jifr.net
- db1.jifr.net
- db2.jifr.net
- dostest1.qfsl.net
and etc. as listed on the screenshot below
DNS used (no changes made in TCP/IP settings)
- victim's preferred DNS
- 212.76.127.133 Internet Rimon LTD, Israel
- 64.68.200.200 easyDNS Technologies, Inc. Toronto
- 156.154.71.1 NeuStar, Inc., VA - USA
- 8.8.8.8 Google DNS
- 209.166.160.36 CONTINENTAL BROADBAND PENNSYLVANIA, INC.
- 210.220.163.82 SK Broadband Co Ltd, Korea
- 4.2.2.2 Level 3 Communications, Inc
- 202.238.96.2 So-net service, Japan
- 203.172.246.41 Ministry of Education Network Operation Center, Thailand
- 205.171.3.65 Qwest Communications Company, LLC
- 210.196.3.183 DION (KDDI CORPORATION)
- 163.180.96.54 Kyung Hee University
- 202.207.184.3 North China Institute Of Technology
- 168.210.2.2 Dimension Data, South Africa
- and perhaps others - see the screenshot
=======================================
Host reachable, 284 ms. average
210.3.0.0 - 210.3.127.255
Hutchison Global Communications
Hong Kong
ITMM HGC
hgcnetwork@hgc.com.hk
9/F Low Block ,
Hutchison Telecom Tower,
99 Cheung Fai Rd, Tsing Yi,
HONG KONG
phone: +852-21229555
fax: +852-21239523
Downloading 160.rar (MD5: 4E69179BB79DE93584E87C4763F6C664 ) = same file that Microsoft describes as
Newly downloaded components are downloaded to a filename that uses the following format:
~MTMP 4 digits 0-f.exe
In my case, these were created and deleted from C\WINDOWS\Temp
Size: 54496
MD5: 4E69179BB79DE93584E87C4763F6C664
~MTMP3C32.exe
~MTMP4F62.exe
~MTMP6006.exe
~MTMP9B40.exe
~MTMPA327.exe
However, they do not seem to have valid PE headers
http://www.virustotal.com/file-scan/report.html?id=f9a12ac987d7737024df78471169d56c1225f31254d3914af8e16a3bbf32daaf-1314580097
[EDIT] See the comments after the post. The file is actually a DLL
Size: 54484
MD5: EBB3A5964DA485C0B9E67164B047A7A5
Machine 014Ch i386®
Number of Sections 0004h
Time Date Stamp 4E536606h 23/08/2011 08:34:14
Pointer to Symbol Table 00000000h
Number of Symbols 00000000h
Size of Optional Header 00E0h
Characteristics 210Eh The file is executable (no unresolved external references)
Line numbers are stripped from the file
Local symbols are stripped from the file
Computer supports 32-bit words
The file is a dynamic link library (DLL)
Magic 010Bh PE32
Linker Version 0006h 6.0
Size of Code 00001000h
Size of Initialized Data 00000A00h
Size of Uninitialized Data 00000000h
Address of Entry Point 10001D6Ah
Base of Code 00001000h
Base of Data 00002000h
Image Base 10000000h
Section Alignment 00001000h
File Alignment 00000200h
Operating System Version 00000004h 4.0
Image Version 00000000h 0.0
Subsystem Version 00000004h 4.0
Win32 Version Value 00000000h Reserved
Size of Image 00005000h 20480 bytes
Size of Headers 00000400h
Checksum 00000000h Real Image Checksum: 0001B115h
Subsystem 0002h Win32 GUI
Dll Characteristics 0000h
Size of Stack Reserve 00100000h
Size of Stack Commit 00001000h
Size of Heap Reserve 00100000h
Size of Heap Commit 00001000h
Loader Flags 00000000h Obsolete
Number of Data Directories 00000010h
http://www.virustotal.com/file-scan/report.html?id=2aa8bd7268bac0681da9b5d2019ae678b9ed28f643995ac7a68d8ad4cac780b8-1314701651
=======================================
hx-in-f104.1e100.net - Google.com 74.125.71.104 or vx-in-f106.1e100.net 74.125.115.106 in another test
Traffic to Google (DoS test). The response is Error 400 - invalid request.
That...s an error. Your client has issued a malformed or illegal request. That...s all we know.
=======================================
qfsl.net
Administrative Contact:
DOMAIN WHOIS PROTECTION SERVICE
WHOIS AGENT domian@whoisprotectionservices.net
+86.02586880037 fax: +86.02586880037
10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District
Nanjing Jiangsu 210012
CN
Registrar History
Date Registrar
2003-01-28 INWW.com
2005-11-23 DirectNic.com
2006-03-22 Bizcn.com
2008-06-14 eNom GMP Services
2010-05-03 Jiangsu Bangning Science & technology Co. Ltd.
IP Address History
Event Date Action Pre-Action IP Post-Action IP
2005-02-12 Not Resolvable 213.161.76.87 -none-
2006-03-24 New -none- 61.152.93.70
2006-06-24 Not Resolvable 61.152.93.70 -none-
2006-10-21 New -none- 61.152.93.70
2007-02-24 Change 61.152.93.70 210.95.31.4
2008-03-30 Not Resolvable 210.95.31.4 -none-
2008-03-31 New -none- 209.62.72.197
2008-04-13 Change 209.62.72.197 124.42.34.171
2008-05-04 Not Resolvable 124.42.34.171 -none-
2008-06-13 New -none- 69.64.155.79
2008-06-15 Change 69.64.155.79 69.64.155.136
2008-06-22 Change 69.64.155.136 69.64.155.132
2008-11-16 Change 69.64.155.132 69.64.147.18
2009-03-09 Change 69.64.147.18 69.64.147.212
2009-03-30 Change 69.64.147.212 69.64.147.213
2009-04-06 Change 69.64.147.213 69.64.147.212
2009-04-20 Change 69.64.147.212 69.64.147.213
2009-04-27 Change 69.64.147.213 69.64.147.212
2009-07-27 Not Resolvable 69.64.147.212 -none-
2010-05-04 New -none- 210.51.7.236
2010-05-23 Change 210.51.7.236 59.188.19.76
2010-10-15 Change 59.188.19.76 58.14.38.169
2010-11-17 Change 58.14.38.169 113.128.1.80
2011-04-10 New -none- 113.128.1.80
2011-05-03 Change 113.128.1.80 113.128.223.131
2011-07-03 Change 113.128.223.131 0.0.0.0
2011-08-10 Not Resolvable 0.0.0.0 -none-
jifr.net
Registrant Contact:
jian fan ren
fan ren jian j@163.com
+86.01015215412 fax: +86.01012111111
chang an lu 113 hao
ma an san an hui 111111
CN
Registrar History
Date Registrar
2011-07-21 Jiangsu Bangning Science & technology Co. Ltd.
IP Address History
We have no record of any IP changes.
=======================================
111.68.13.250
111.68.0.0 - 111.68.15.255
Hollywood Plaza, 610 Nathan Road
Hong Kong
ASIA PACIFIC SERVER COMPANY - network administrato
Hollywood Plaza, 610 Nathan Road, Mong Kong, KLN
phone: +85263419611
network@apacserver.com
Qfsl.net point to 111.68.13.250.
Registrant Contact:
DOMAIN WHOIS PROTECTION SERVICE
WHOIS AGENT domian@whoisprotectionservices.net
+86.02586880037 fax: +86.02586880037
10F West-Building, Yuhua Software Park, 310 Ningnan Road, Yuhua District
Nanjing Jiangsu 210012
CN
Created files
C:\WINDOWS\Offline Web Pages\1.40_TestDdos - see this in the screenshot below - 6th line from the top
C:\WINDOWS\Offline Web Pages\1.60_0823
C:\WINDOWS\Offline Web Pages\2011-08-29 0234
C:\WINDOWS\Offline Web Pages\cache.txt TCP traffic from 111.68.13.250.
