New RDP worm

August 28, 2011

There’s a new worm spreading round the internet using RDP to infect systems.

The RDP Worm, called Win32/Morto.A spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.

The worm cycles through IP addresses and attempts to connect to the server as administrator using a standard list of passwords. If the worm is successful at logging into a server, it copies clb.dll to a.dll on the machine and creates a file .reg in a directory which is temporarily mapped to A:

Microsoft has released details about the Win32/Morto.A although it will only really be an issue if a system is configured with one of the passwords from the defined list; most of which are based on the dumb choices some systems administrators would use.