Say hello to Morto, a Windows worm that has been spreading like wildfire over the last weekend. This new nasty has struck by spreading over the Windows Remote Desktop Protocol. Rather than using fancy network trickery, Morto attempts to infect its target by entering passwords commonly used to secure RDP.
Like many previous worms, this new threat is not technically sophisticated but remains effective due to its persistence. While only a small number of systems may be accessible with the passwords that Morto tries, the worm uses every infected machine to scan for additional targets and spreads itself relentlessly. One infection on a network can quickly turn into a full-blown PC plague. Infected machines also have their security software discreetly terminated, making the worm more difficult to find and remove.
Security researchers caught the worm when they noticed spikes in network traffic, specifically traffic related to TCP port 3389, which is the port Windows Remote Desktop monitors for access requests. While the worm has caused a general increase in Internet traffic, the impact has so far been minimal. The worm does not seem to contain a damaging payload, so researchers do not yet know the method behind the madness.
Protection against Morto is simple. Disabling Windows Remote Desktop will cut off its means of infection. Alternatively, a strong password containing random letters and numbers can thwart the worm.
Source: Computer World