Worm spreads via Remote Desktop feature of Windows
The AV vendor F-Secure warns of Morto the pest, which spreads through
the remote desktop server (RDP server) of Windows. The worm takes
advantage of any security holes in Windows. It scans IP address ranges
to the RDP port 3389 and tried the answering machines at a login as
Administrator with a list of frequently used passwords.
The worm primarily affects Windows servers, since the purpose of active
RDP often remote and is accessible via the Internet. For the home user
versions of Windows, the RDP server will be included only in the
higher-priced versions (starting at 7 Professional) and have also
activated by hand. In addition, the port is accessible only from the
outside in this case, if the router port forwarding has been explicitly
set. If this is not the case, the requests can only be made from other
infected computers in the home network.
To insinuate themselves permanently in the system, the worm then sets a
drive A: to \, which can RDP as a network share to be addressed. On
release he finally placed the file a.dll who cares about the further
infection. In the further course of infection, among other places Morto
cache.txt the \ windows \ system32 \ sens32.dll and \ Windows \ Offline
Web Pages \.
On the infected computer, the worm takes care of its distribution, which
could be observed among other things, the Internet Storm Center, a
massive increase in traffic on the RDP port. In addition brings the pest
with typical bot functions. He contacted a number of domains to be there
to pick up new commands and components. A detailed analysis of Morto
Microsoft has released.
The worm is first noticed the middle of last week. Microsoft TechNet
forums, reports accumulated by fully patched systems, which explains the
unusually high traffic on port 3389. Morto at this time was still not
recognized by any virus scanner.
Meanwhile Morto is detected by the scanners from Micosoft and F-Secure,
the other major AV vendors are likely to be pulled along. To prevent the
bot in the first on to the system, one should protect passwords hard to
guess with computers accessible via RDP.
No comments:
Post a Comment