The original Morto worm was able to compromise remote desktop protocol (RDP) connections by exploiting weak administrator passwords, but the new strain has added file infection capability to its repertoire, noted Edgardo Diaz Jr. with the Microsoft Malware Protection Center.
Last year, Microsoft warned that once Morto compromises a system, it connects to a remote server to download additional information and update its components. The worm also terminates processes for locally running security applications to ensure its activity continues uninterrupted.
Diaz explained that the new Morto variant “infects .EXE files found on fixed and removable drives as well as on default RDP and Administrative shares, but avoids infecting files that contain strings like 'windows', 'winnt', 'qq', 'Outlook', 'System Volume Information' or 'RECYCLER' in their path. Morto also leaves an infection marker, 'PPIF' in infected files.”
Similar to earlier memory resident viruses, Morto's payload and infection routine is executed in the context of other processes, Diaz said. To avoid multiple injections in the same process (or running multiple copies of the virus), a mutex called "Global\_PPIftSvc" is created, he added.
Diaz cautioned organizations to use strong passwords for administrator and user accounts and verify that passwords are not being used that are similar to those being deployed by the malware to spread.