Last Updated: 2011-09-12 16:17:45 UTC
by Johannes Ullrich (Version: 1)
With the release of the "Morto" worm last month , more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections.
Please let us know if you find similar scans and if you are able to identify the process/malware causing it.