New worm targeting weak passwords on Remote Desktop connections (port 3389)

  • Article

We've had reports of a new worm in the wild and that generates increased RDP traffic for our users on port 3389. Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable. The worm is detected as Worm:Win32/Morto.A and you can see a detailed description of it at Worm:Win32/Morto.A.

Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Affected users should note that a reboot may be required in order to complete the cleaning process.

Read the complete blog at https://blogs.technet.com/b/mmpc/archive/2011/08/28/new-worm-targeting-weak-passwords-on-remote-desktop-connections-port-3389.aspx

Read my favorites blogs:

Designing a backup less Exchange 2010 Architecture

Step by step guide for upgrading Active Directory from Microsoft Windows 2003 to Microsoft Windows Server 2008

Microsoft Exchange 2010 CAS Array – Steps and Recommendations

Appear Offline in Microsoft Office Communicator Server 2007

Microsoft Exchange 2010 Test cases

Microsoft Exchange Server 2010 Disaster Recovery