Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

w32.spamuzle / marioforever.exe problem - The network BIOS session limit was suceeded.

Posted on 2008-10-17
11
Medium Priority
?
4,360 Views
Last Modified: 2013-11-22
Good morning,

I'm hoping you experts can shed some light on this very dark situation. Yesterday, we had some sort of virus breakout on our network. It appears to be the w32.spamuzle aka marioforever.exe trojan. Unfortunately I still haven't pin-pointed where it came from. I'm having a hard time removing it. It appears to be on most of my server's shared network drives. I have done extensive scanning on my 3 servers. I have been using Clamwin and McAfee's House Call online scanner and it hasn't found anything on the individual servers. I haven't gotten a chance to scan every individual machine because it's during business hours. I will be doing individual machines this evening when everyone goes home.

I really only seem to be having 1 problem at this time. It seems completely random, no rhyme or reason but a User will be unable to access network resources; shared drive, my documents, etc. They get the following error message. "The network BIOS session limit was exceeded."

If I reboot the client machine that's having problems it will temporarily resolve said problem.

I'm at my end and I'm looking for suggestions. I greatly appreciate your time.
0
Comment
Question by:Bxiie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 

Author Comment

by:Bxiie
ID: 22741814
Perhaps a procedure on how I should be going about this would be greatly appreciated as well. I was planning on doing a virus scan / spyware scan on each of the client workstations in safe mode while the network interface card is disabled to see if I can find the source.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22741846
You have a good procedure there, that's what I'd do. Here's some helpful tips:
http://www.bleepingcomputer.com/forums/topic1628.html

I'd install/update/scan with Malwarebytes too www.malwarebytes.org
0
 

Author Comment

by:Bxiie
ID: 22742202
Just an update on my end. I've mentioned that restarting the computer seems to be a temporary fix for this. Instead of rebooting I have found that if you renew the IP address thru a command prompt it will also resolve the problem temporarily.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 12

Expert Comment

by:alikaz3
ID: 22742289
SYMPTOMS
After you install Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000 Server, you may receive the following error message:
The network BIOS command limit has been reached.

Back to the top
CAUSE
This issue may occur if the following conditions are true:
"      This issue may occur if the client computer submits simultaneous, long-term requests against a file server that uses the Server Message Block (SMB) protocol. An example of a long-term request is when a client computer uses the FindFirstChangeNotification function to monitor a server share for changes.
"      This issue may occur if the MaxCmds registry value setting on the client is less than 50, or the MaxMpxCt registry value setting on the server is less than 50.

Note The MaxMpxCt registry value setting may have a different name on other SMB/CIFS implementations. The Common Internet File System (CIFS) specification refers to it as MaxMpxCount.


I'd say malware is probing/copying/reading your file shares. Even though rebooting makes the error go away, your systems are definitely compromised. I'd disconnect them all ASAP and get your malware procedures going soon. It's Friday so you'll have all weekend to take care of it :D
0
 

Author Comment

by:Bxiie
ID: 22744526
Update - marioforever.exe is constantly being copied to multiple network shares. Does anyone have any suggestion on trying to pin point what machine is doing this?

0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22744684
It's tough, can you bring up the task manager and click the networking tab on each computer? Let them sit at idle and see if any of them have spikes.
0
 
LVL 6

Accepted Solution

by:
clearacid earned 2000 total points
ID: 22746539
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

Clear
0
 

Author Comment

by:Bxiie
ID: 22753569
clearacid,

How do I open the logs for object create?
0
 
LVL 6

Expert Comment

by:clearacid
ID: 22754871
These links can help you out with that:

http://technet.microsoft.com/en-us/library/cc757864.aspx

http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm

In the computer performance link - it says you can view what's being deleted and who did it - but you can also see object creations under the security log as well.

Just make sure you set the log retention to a good size file and to overwrite as needed.  Then check the log frequently when you notice any possible problems.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22758314
Very good call clearacid, I wasn't aware of that log function.
0
 

Author Closing Comment

by:Bxiie
ID: 31507168
Thanks Clearacid. I was able to neutralize this virus by removing the "Everyone" permission from my shares. Thank you for your throughout explanation.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question