Skip to content

New Morto Worm Attacks RDP

  • by

new worm

Many of our readers are requesting info on a new Worm that is making news.

The new worm is called Morto and it takes advantage of the Microsoft Remote Support Desktop Protocol. The worm will scan your Windows systems to see if you have RDP Enabled. The worm is controlled remotely via the and Make sure you block these at the firewall! The worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003. The traffic was flagged by the SANS folks.

Port 3389 / TCP is used by Microsoft Terminal Services, and has been a continuing target of attacks.

Info from F-Scure: “We don’t see that many internet worms these days. It’s mostly just bots and trojans. But we just found a new internet worm, and it’s spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven’t seen before: RDP. RDP stands for Remote Desktop Protocol. Windows has built-in support for this protocol via Windows Remote Desktop Connection.

Once you enable a computer for remote use, you can use any other computer to access it. When you connect to another computer with this tool, you can remotely use the computer, just like you’d use a local computer. Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.”

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

  • admin password server test user pass letmein 1234qwer 1q2w3e 1qaz2wsx aaa abc123 abcd1234 admin123 111 123 369 1111 12345 111111 123123 123321 123456 654321 666666 888888 1234567 12345678 123456789 1234567890

Once you are connected to a remote system, you can access the drives of that server via Windows shares like \tsclientc and \tsclientd for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it. The infection will create several new files on the system including windowssystem32sens32.dll and windowsoffline web pagescache.txt

Author Malware Survival

Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in affordable IT Support, Cyber Security, IT Service, IT Security, Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in affordable IT Support, Cybersecurity Services, IT Services, IT Security, Office 365, Cloud, VOIP Services, SPAM, Wireless, Network Monitoring Services, Custom Gaming PC, MAC repair, PC Repair In Austin, Virus Removal, and much more. Check out what our clients have to say about us on Yelp!


What Is the Morto Worm and How Does It Spread?

The Morto Worm is malware that spreads through Remote Desktop Protocol (RDP) connections. It exploits weak passwords to gain and propagate access to systems.

How Can I Protect My System from the Morto Worm?

Use strong, unique passwords for RDP connections, disable RDP if not needed, and keep your operating system and antivirus software updated to protect against the Morto Worm.

What Are the Symptoms of a Morto Worm Infection?

Symptoms include slow system performance, unexpected RDP connections, and unusual network activity. The worm can also cause system crashes and other operational issues.

Which Versions of Windows Are Vulnerable to the Morto Worm?

Older versions of Windows, especially those not regularly updated, are more vulnerable. Ensure you have the latest security patches to reduce the risk of infection.

What Steps Should I Take If the Morto Worm infects My System?

Disconnect from the network, run a full antivirus scan, and remove the worm. Change all passwords and update your system and security software to prevent future infections.