Solved

w32.spamuzle / marioforever.exe problem - The network BIOS session limit was suceeded.

Posted on 2008-10-17
11
4,355 Views
Last Modified: 2013-11-22
Good morning,

I'm hoping you experts can shed some light on this very dark situation. Yesterday, we had some sort of virus breakout on our network. It appears to be the w32.spamuzle aka marioforever.exe trojan. Unfortunately I still haven't pin-pointed where it came from. I'm having a hard time removing it. It appears to be on most of my server's shared network drives. I have done extensive scanning on my 3 servers. I have been using Clamwin and McAfee's House Call online scanner and it hasn't found anything on the individual servers. I haven't gotten a chance to scan every individual machine because it's during business hours. I will be doing individual machines this evening when everyone goes home.

I really only seem to be having 1 problem at this time. It seems completely random, no rhyme or reason but a User will be unable to access network resources; shared drive, my documents, etc. They get the following error message. "The network BIOS session limit was exceeded."

If I reboot the client machine that's having problems it will temporarily resolve said problem.

I'm at my end and I'm looking for suggestions. I greatly appreciate your time.
0
Comment
Question by:Bxiie
  • 5
  • 4
  • 2
11 Comments
 

Author Comment

by:Bxiie
ID: 22741814
Perhaps a procedure on how I should be going about this would be greatly appreciated as well. I was planning on doing a virus scan / spyware scan on each of the client workstations in safe mode while the network interface card is disabled to see if I can find the source.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22741846
You have a good procedure there, that's what I'd do. Here's some helpful tips:
http://www.bleepingcomputer.com/forums/topic1628.html

I'd install/update/scan with Malwarebytes too www.malwarebytes.org
0
 

Author Comment

by:Bxiie
ID: 22742202
Just an update on my end. I've mentioned that restarting the computer seems to be a temporary fix for this. Instead of rebooting I have found that if you renew the IP address thru a command prompt it will also resolve the problem temporarily.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 12

Expert Comment

by:alikaz3
ID: 22742289
SYMPTOMS
After you install Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000 Server, you may receive the following error message:
The network BIOS command limit has been reached.

Back to the top
CAUSE
This issue may occur if the following conditions are true:
"      This issue may occur if the client computer submits simultaneous, long-term requests against a file server that uses the Server Message Block (SMB) protocol. An example of a long-term request is when a client computer uses the FindFirstChangeNotification function to monitor a server share for changes.
"      This issue may occur if the MaxCmds registry value setting on the client is less than 50, or the MaxMpxCt registry value setting on the server is less than 50.

Note The MaxMpxCt registry value setting may have a different name on other SMB/CIFS implementations. The Common Internet File System (CIFS) specification refers to it as MaxMpxCount.


I'd say malware is probing/copying/reading your file shares. Even though rebooting makes the error go away, your systems are definitely compromised. I'd disconnect them all ASAP and get your malware procedures going soon. It's Friday so you'll have all weekend to take care of it :D
0
 

Author Comment

by:Bxiie
ID: 22744526
Update - marioforever.exe is constantly being copied to multiple network shares. Does anyone have any suggestion on trying to pin point what machine is doing this?

0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22744684
It's tough, can you bring up the task manager and click the networking tab on each computer? Let them sit at idle and see if any of them have spikes.
0
 
LVL 6

Accepted Solution

by:
clearacid earned 500 total points
ID: 22746539
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

Clear
0
 

Author Comment

by:Bxiie
ID: 22753569
clearacid,

How do I open the logs for object create?
0
 
LVL 6

Expert Comment

by:clearacid
ID: 22754871
These links can help you out with that:

http://technet.microsoft.com/en-us/library/cc757864.aspx

http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm

In the computer performance link - it says you can view what's being deleted and who did it - but you can also see object creations under the security log as well.

Just make sure you set the log retention to a good size file and to overwrite as needed.  Then check the log frequently when you notice any possible problems.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22758314
Very good call clearacid, I wasn't aware of that log function.
0
 

Author Closing Comment

by:Bxiie
ID: 31507168
Thanks Clearacid. I was able to neutralize this virus by removing the "Everyone" permission from my shares. Thank you for your throughout explanation.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall one way trust 2 38
exclude a user from a deny permisssion 4 56
BGP recommended setup with failover 2 45
software inventory tools 3 33
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question