W32.Morto first surfaced in August 2011 causing a stir when it targeted weak passwords on Remote Desktop Protocol Connections in order to propagate across networks. W32.Morto.B, the new variant, now has the ability to infect executable files on a compromised computer. Let’s take a look at the infected files in a bit more detail.
Figure 1. W32.Morto.B file infection schematics
Before infecting a file, W32.Morto.B will check for an infection marker. This is to ensure it doesn’t attempt multiple infections on the same file, a common check performed by file infecting threats. The marker it looks for is stored in the MZ header and can be seen in Figure 2 below:
Figure 2. W32.Morto.B file infection marker
If this marker is not present, it will proceed to insert the viral body into the last section of the file and update the attributes of this section so that it is run when the file is executed. As a final step it will modify the original entry point to point to the newly inserted viral code.
Once the infected file is executed, instead of executing the original code path – the inserted viral code will execute first. The entry point of the worm contains a small decryption routine, which decrypts the viral body and then executes it. Once completed, the worm will return execution to the original entry point of the file and the original application will continue to execute as normal.
Figure 3. Code extract showing flow of execution from viral entry point
We are currently investigating this threat for any additional functionality and will be updating this blog as details become available. Ensure that your anti-virus is up to date to protect against this latest evolution of the Morto worm.