Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: More RDP Worm Variants? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More RDP Worm Variants?

With the release of the "Morto" worm last month [1], more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections.

Please let us know if you find similar scans and if you are able to identify the process/malware causing it.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4475 Posts
ISC Handler
Sep 12th 2011
No chance of sharing C&C names/IPs?

45 Posts
I'll try again:
Can anyone shed some light into how logging works for RDP on Windows 7?

On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication.

In Event View I can find entries under "Applications and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational.

But the entries are only "Listener RDP-Tcp received a connection".

I would like to know: From where did the connection come from, which username were supplied, etc


5 Posts
They're in the security log-- they're not differentiated by category; they are logon events with a different "Type" that is spelled out in the description field. Google "RDP Security Log" (no quotes) and you'll find an explanation pretty quickly.
The FREE HoneyPoint tool we released for the original version of Morto continues to help folks identify scanning/infected hosts of this variant as well as other RDP exploit tools. Here is a link to more information:

Sign Up for Free or Log In to start participating in the conversation!