w32.spamuzle / marioforever.exe problem - The network BIOS session limit was suceeded.

Good morning,

I'm hoping you experts can shed some light on this very dark situation. Yesterday, we had some sort of virus breakout on our network. It appears to be the w32.spamuzle aka marioforever.exe trojan. Unfortunately I still haven't pin-pointed where it came from. I'm having a hard time removing it. It appears to be on most of my server's shared network drives. I have done extensive scanning on my 3 servers. I have been using Clamwin and McAfee's House Call online scanner and it hasn't found anything on the individual servers. I haven't gotten a chance to scan every individual machine because it's during business hours. I will be doing individual machines this evening when everyone goes home.

I really only seem to be having 1 problem at this time. It seems completely random, no rhyme or reason but a User will be unable to access network resources; shared drive, my documents, etc. They get the following error message. "The network BIOS session limit was exceeded."

If I reboot the client machine that's having problems it will temporarily resolve said problem.

I'm at my end and I'm looking for suggestions. I greatly appreciate your time.
BxiieAsked:
Who is Participating?
 
clearacidConnect With a Mentor Commented:
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

Clear
0
 
BxiieAuthor Commented:
Perhaps a procedure on how I should be going about this would be greatly appreciated as well. I was planning on doing a virus scan / spyware scan on each of the client workstations in safe mode while the network interface card is disabled to see if I can find the source.
0
 
alikaz3Commented:
You have a good procedure there, that's what I'd do. Here's some helpful tips:
http://www.bleepingcomputer.com/forums/topic1628.html

I'd install/update/scan with Malwarebytes too www.malwarebytes.org
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
BxiieAuthor Commented:
Just an update on my end. I've mentioned that restarting the computer seems to be a temporary fix for this. Instead of rebooting I have found that if you renew the IP address thru a command prompt it will also resolve the problem temporarily.
0
 
alikaz3Commented:
SYMPTOMS
After you install Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000 Server, you may receive the following error message:
The network BIOS command limit has been reached.

Back to the top
CAUSE
This issue may occur if the following conditions are true:
"      This issue may occur if the client computer submits simultaneous, long-term requests against a file server that uses the Server Message Block (SMB) protocol. An example of a long-term request is when a client computer uses the FindFirstChangeNotification function to monitor a server share for changes.
"      This issue may occur if the MaxCmds registry value setting on the client is less than 50, or the MaxMpxCt registry value setting on the server is less than 50.

Note The MaxMpxCt registry value setting may have a different name on other SMB/CIFS implementations. The Common Internet File System (CIFS) specification refers to it as MaxMpxCount.


I'd say malware is probing/copying/reading your file shares. Even though rebooting makes the error go away, your systems are definitely compromised. I'd disconnect them all ASAP and get your malware procedures going soon. It's Friday so you'll have all weekend to take care of it :D
0
 
BxiieAuthor Commented:
Update - marioforever.exe is constantly being copied to multiple network shares. Does anyone have any suggestion on trying to pin point what machine is doing this?

0
 
alikaz3Commented:
It's tough, can you bring up the task manager and click the networking tab on each computer? Let them sit at idle and see if any of them have spikes.
0
 
BxiieAuthor Commented:
clearacid,

How do I open the logs for object create?
0
 
clearacidCommented:
These links can help you out with that:

http://technet.microsoft.com/en-us/library/cc757864.aspx

http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm

In the computer performance link - it says you can view what's being deleted and who did it - but you can also see object creations under the security log as well.

Just make sure you set the log retention to a good size file and to overwrite as needed.  Then check the log frequently when you notice any possible problems.
0
 
alikaz3Commented:
Very good call clearacid, I wasn't aware of that log function.
0
 
BxiieAuthor Commented:
Thanks Clearacid. I was able to neutralize this virus by removing the "Everyone" permission from my shares. Thank you for your throughout explanation.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.