Irregular Expressions » Morto http://itknowledgeexchange.techtarget.com/Irregular-Expressions Insight into current security related events and exploits, including virtualization security and tips. Sun, 28 Apr 2013 08:00:32 +0000 en-US hourly 1 RDP Worm http://itknowledgeexchange.techtarget.com/Irregular-Expressions/rdp-worm/ http://itknowledgeexchange.techtarget.com/Irregular-Expressions/rdp-worm/#comments Tue, 30 Aug 2011 01:22:22 +0000 Dan O'Connor http://itknowledgeexchange.techtarget.com/Irregular-Expressions/rdp-worm/ I was toying with something like this a while ago, I was playing with the idea of being able to do this from a *nix box for VA purposes (With out the gui part, I just wanted a yes or no back).

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.gen!A

It’s current state should not get many hosts, the list of passwords is limited.

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

Here is a list of hosts it will attempt to contact for updates.

210.3.38.82 
jifr.info 
jifr.co.cc 
jifr.co.be 
qfsl.net 
qfsl.co.cc 
qfsl.co.be 

Always check your firewall logs just to be safe.

]]> http://itknowledgeexchange.techtarget.com/Irregular-Expressions/rdp-worm/feed/ 0