A new Internet worm has been reported that spreads via Microsoft’s Remote Desk Protocol (RDP). This worm scans an infected host’s subnet for other hosts running RDP and attempts access to them using a pre-configured set of user names (including “administrator”) and passwords. According to Microsoft, this worm can be remotely controlled and updated, such that infected hosts may be ordered to perform denial-of-service attacks or other functions. Because of this, the behavior of the worm may change over time.

Detailed information about the worm, including detection and cleaning, is available here: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Morto.A

This threat can be mitigated by following some basic security best practices. First, ensure that you are enforcing strong password choice on your user accounts.

Second, ensure that you are restricting inbound RDP (TCP 3389) to only those source IP addresses from which legitimate RDP sessions should originate.

Microsoft guidance on creating strong passwords can be found here: http://technet.microsoft.com/en-us/library/cc736605%28WS.10%


And remember to be safe, be smart, and be secure.