Mal/Morto-A is a family of network worms.
Mal/Morto-A drops a file to one or more of the following locations, also detected as Mal/Morto-A:
<Windows>\clb.dll
<Windows>\Offline Web Pages\cache.txt
Mal/Morto-A attempts to spread to network shares using port 3389 (RDP).
Mal/Morto-A tries to read and write to files in the remote folder \\tsclient\a\.
Mal/Morto-A typically creates registry entries at the following location:
HKLM\SYSTEM\Wpa
Mal/Morto-A may attempt to delete the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Components of Mal/Morto-A have been detected as Troj/SvcLoad-A, Troj/SvcLoad-B and Troj/Agent-TEE.
Examples of Mal/Morto-A include:
Example 1
File Information
- Size
- 7.1K
- SHA-1
- 029f770aa8dfa81831b759d39dc6822db936c245
- MD5
- 4f3ae68fe5861d0060d2a0a964431a36
- CRC-32
- b9c098c1
- File type
- application/x-ms-dos-executable
- First seen
- 2011-08-26
Example 2
File Information
- Size
- 29K
- SHA-1
- 0350faa85c50ff5628772c0beafd8f97e2c5a5bf
- MD5
- c181d33d27b2a3db4de06ac93eb0ee53
- CRC-32
- d9ba6e47
- File type
- application/x-ms-dos-executable
- First seen
- 2011-08-09
Example 3
File Information
- Size
- 49K
- SHA-1
- 0bbb014657bf4459faa2e6faf11d0559b196187c
- MD5
- 2eef4d8b88161baf2525abfb6c1bac2b
- CRC-32
- 38761d76
- File type
- application/x-ms-dos-executable
- First seen
- 2011-08-10
Runtime Analysis
Dropped Files
- C:\WINDOWS\clb.dll
- Size
- 6.6K
- SHA-1
- 81f3226b75fa062813ec7f365657c0e9b968b5d8
- MD5
- cbe629f6fa903b60672bf400e1859bf0
- CRC-32
- f9c30115
- File type
- application/x-ms-dos-executable
- First seen
- 2011-08-30
Registry Keys Created
- HKLM\SYSTEM\WPA
- ie
- c:\test_item.exe
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
- a
- regedit.exe\1
Processes Created