Over on the post “Windows Remote Desktop worm “Morto” spreading – F-Secure Weblog : News from the Lab” contains this text:
” <<< Sunday, August 28, 2011 >>> Windows Remote Desktop worm “Morto” spreading Posted by Mikko @ 13:23 GMT | Comments We don’t see that many internet worms these days. It’s mostly just bots and trojans. But we just found a new internet worm, and it’s spreading in the wild.
The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven’t seen before: RDP.
RDP stands for Remote Desktop Protocol. Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.
When you connect to another computer with this tool, you can remotely use the computer, just like you’d use a local computer.
Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.
When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:
admin password server test user pass letmein 1234qwer 1q2w3e 1qaz2wsx aaa abc123 abcd1234″
