Authored By:
Keith Gilbert – @digital4rensics

Description:
Finds common Morto infections and alerts on either the dropper, loader, or payload. Tested with success, no FPs. DNS & Process entries have not been verified.

Category:
Worm

Reports:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3AWin32%2FMorto.A

Indicators:
OR
   DnsEntryItem/RecordName contains qfsl.net
   DnsEntryItem/RecordName contains ms.jifr
   File Full Path contains Windows\Offline Web Pages\1.40_TestDdos
   File Full Path contains Windows\Offline Web Pages\cache.txt
   File Full Path contains Windows\clb.dll
   File Full Path contains Windows\clb.dll.bak
   AND
      Registry Path contains SYSTEM\WPA
      OR
         Registry ValueName is ie
         Registry ValueName is md
         Registry ValueName is sr
         Registry Value is Sens
         Registry Value is 6to4
         Registry ValueName is sn
   AND
      Registry Path contains SYSTEM\ControlSet001\Control\Windows
      Registry ValueName is NoPopUpsOnBoot
      Registry Text is 00000001
   AND
      Registry Path contains Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers
      Registry Value contains rundll32.exe=RUNASADMIN
   AND
      Process Name is svchost.exe
      Process StringList contains letmein
      Process Handle Name contains System32\Sens32.dll

IOC File:
326c3286-1a3c-403f-8e78-61f3ce1f3ab1.ioc