With the release of the "Morto" worm last month [1], more attention is being paid to malware scanning for RDP . Today, we had a reader report a possible new version of the Win32/Morto RDP brute forcing worm. The worm was not detected by Anti-Virus, and does not appear to use c:Windows\temp\scvhosts.exe like Morto did. The network traffic appears to be similar to Morto in that it makes many connections from the same source port to the RDP port *3389/tcp. So far, the user was not able to identify the process opening the connections.

Please let us know if you find similar scans and if you are able to identify the process/malware causing it.

[1] http://isc.sans.edu/diary.html?storyid=11470

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter