Home Malware Programs Worms WORM_MORCUT.A

WORM_MORCUT.A

Posted: August 27, 2012

Threat Metric

Threat Level: 5/10
Infected PCs: 18
First Seen: August 27, 2012
OS(es) Affected: Windows

WORM_MORCUT.A is a variant of a Crisis or Morcut worm, a self-propagating PC threat with a feature set focused largely on stealing confidential information. The latest WORM_MORCUT.A attacks are indicative of initial infections being achieved through browser-based Java applets that may be loaded on harmful or compromised websites. SpywareRemove.com malware researchers also stress that WORM_MORCUT.A, unlike most PC threats, has noticeable cross-OS compatibility, and is more than capable of attacking Mac-based OSes, Windows OSes and even Virtual Machine (VM) environments. All variants of Morcut, including WORM_MORCUT.A, should be considered capable of compromising passwords, contact information and other personal data, and it's recommended that you use anti-malware software to uncover and delete all copies of a WORM_MORCUT.A infection.

How WORM_MORCUT.A Gets Around with the Greatest of Ease

WORM_MORCUT.A's initial installation can occur through several means, as noted below:

  • WORM_MORCUT.A may be installed by the hostile Java applet JAVA_AGENT.NTW. Such applets are often hosted on hacked or malicious sites, although SpywareRemove.com malware researchers have also seen cases where other Trojans have loaded malicious applets automatically. Disabling Java by default and keeping strong browser security can help to protect against this method of WORM_MORCUT.A's installation.
  • On an already infected PC, WORM_MORCUT.A may create hidden copies of itself in removable or network-accessible locations. These copies of WORM_MORCUT.A can install themselves on any uninfected computer that accesses the folder or drive; consequentially, you should avoid sharing USB devices or local network-shared folders until WORM_MORCUT.A is deleted.

WORM_MORCUT.A is of interest to PC security professionals due to its ability to load in Virtual Machine (self-contained 'simulation' operating systems that run within secondary OSes) environments, as well as use VMware virtual disks as an additional vehicle for its own propagation by using a malicious DLL component, TROJ_MORCUT.A. Since VM environments are often safe from unsophisticated PC threats and many malware authors explicitly avoid allowing their malware to launch in Virtual Machines, WORM_MORCUT.A may very well represent an upgrade in strategy for how criminals deal with VM environments and analysis by PC security companies.

Tackling the Trouble of WORM_MORCUT.A Once It's Already Inside

Other than its ability to infect VMs, WORM_MORCUT.A's functions are relatively typical for PC threats of its type. WORM_MORCUT.A's attacks orient themselves around the goal of stealing personal information through the following methods:

  • Keylogging, which allows WORM_MORCUT.A to record all typed information on your keyboard to a hidden log file. This includes passwords, user account names, etc.
  • Screen grabbing and webcam-monitoring, which let WORM_MORCUT.A take screenshots or even live recordings of your visual display.
  • Stolen address book entries (phone numbers, street addresses, e-mail addresses).
  • Monitored browser activities (which URLs are loaded, the duration of a website visit, etc). SpywareRemove.com malware research team emphasizes that such functions are often used by PC threats with aspirations of stealing bank account info as a means of altering official bank web pages to include unsafe content.

Because WORM_MORCUT.A includes multiple components and can create copies of itself, SpywareRemove.com malware experts discourage attempts to isolate and remove WORM_MORCUT.A individually. Instead, anti-malware software should be used to scan for and delete every component of WORM_MORCUT.A regardless of its location.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



win.exe File name: win.exe
Size: 1.04 MB (1043456 bytes)
MD5: ae8d4770ef02373d7680f160e01e8668
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 29, 2012
file.exe File name: file.exe
Size: 700.38 KB (700389 bytes)
MD5: cc47dbe9f836127ad9480efde14029fd
Detection count: 85
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 29, 2012
eiYNz1gd.Cfp File name: eiYNz1gd.Cfp
Mime Type: unknown/Cfp
Group: Malware file
IZsROY7X.-MP File name: IZsROY7X.-MP
Mime Type: unknown/-MP
Group: Malware file
t2HBeaM5.OUk File name: t2HBeaM5.OUk
Mime Type: unknown/OUk
Group: Malware file
6EaqyFfo.zIK File name: 6EaqyFfo.zIK
Mime Type: unknown/zIK
Group: Malware file
WeP1xpBU.wA File name: WeP1xpBU.wA
Mime Type: unknown/wA
Group: Malware file
Loading...