More RDP Worm Variants?

Published: 2011-09-12
Last Updated: 2011-09-12 16:17:45 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

With the release of the "Morto" worm last month [1], more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections.

Please let us know if you find similar scans and if you are able to identify the process/malware causing it.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: morto rdp
4 comment(s)


Diary Archives