W32.Mortag


Aliases: Trojan-PSW.Win32.Mortag, Trojan.PSW.Mortag, W32/Mortag.worm, PWS:Win32/Mortag, Worm/Mortag 
Variants: Win32.HLLM.Generic.79, TROJ_MORTAG.A, Win32:Trojan-gen, Win32/Mortag.A 

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 13 Aug 2002
Damage: Low

Characteristics: The W32.Mortag malware is a password stealer virus. This malware is written using Microsoft’s programming language Visual Basic. This malware can replicate itself unlike other malwares. When it has penetrated a victim machine, it will steal passwords, thereby giving its remote master access and control to personal accounts, etc.

More details about W32.Mortag

When the W32.Mortag virus is launched in an affected computer system, it will display a false error message stating that a required DLL file is missing. This alleged file is the Winchess32.dll file. The virus then copies its code as a file with the extension dll.exe and then creates a .txt file. The virus will then proceed to log the user’s keystrokes. The TXT file created by the virus will contain all the virus’ logged information. This log file will be sent by the virus to its remote author by utilizing its very own Simple Mali Transfer Protocol or SMTP engine. The virus will likewise copy its code to the A:\ drive as a file with the extension html.exe. It will then go on to make modifications to the registry by adding a particular value to a particular registry key to allow it to run during Windows startup.

The W32.Mortag virus application also connects to an IRC server to join a specific IRC channel. The program will then wait for commands from other people logged in. These commands are executed in either IRC or in the infected computer. The worm program can be instructed to join another IRC channel. It can start a thread on its own. The software can also stop a certain thread. It can also execute specific commands in the system. Running processes may be recorded and reported to a remote server. System information such as CPU speed, free disk space and memory can also be recorded. Internet information like the IP address and type of connection is also monitored.