Morto: RDP worm of death?

Worm cracking passwords
Over the last few days we have seen some media buzz about a worm called Morto.

Morto is an old-fashioned internet worm, which targets Windows workstations and servers by exploiting poorly-chosen weak passwords to spread via Remote Desktop Protocol (RDP) connections (port 3389).

It’s possible if you had a large number of infected computers within your local network, that the amount of traffic generated by the Morto worm might be so significant that it would effectively clog your system.

Although the Morto worm has received a lot of press attention we need to keep the threat in proportion. SophosLabs has received a very low number of reports of this worm being seen in the wild – other threats which are less exciting to the media are infecting considerably more computers.

Possible reasons for the low number of Morto reports may be that Sophos customers have chosen better passwords on their shares, or because Sophos products had detection relatively early on for this compared to some competitors. (See this VirusTotal report from 26 August 2011, for instance).

Sophos has actually had detection for the various components of the Morto worm as Troj/Agent-TEE, Troj/SvcLoad-A and Troj/SvcLoad-B since 5th August 2011.

However, due to the interest stirred up by media reports we are merging (and updating) our detection and are now protecting against the worm as Mal/Morto-A.

The worm attempts to spread to network shares using port 3389 (RDP), and tries to read and write to files in the remote folder \\tsclient\a\.

How is it possible for Morto to spread across your network? Well, Morto has in its armoury a library of commonly-used passwords. If your network relies upon poorly chosen passwords such as “password”, or sequences of letters or repeated numbers then you could be at risk.

Therefore, it’s not possible to emphasise enough the importance of using sensible passwords on your network.

Not just on the areas of your network that you don’t want your users to traipse through, but also on the default network shares that are present on installations of commonly used operating systems.


Interestingly, the Morto worm has gone through several revisions. We discovered the strings “LVer1.23”, “LVer1.25”, “LVer1.33” and “LVer1.35” all followed by ‘moto’ indicating a development cycle in the construction of this worm.

Read our technical description of Mal/Morto-A.