Solved

w32.spamuzle / marioforever.exe problem - The network BIOS session limit was suceeded.

Posted on 2008-10-17
11
4,354 Views
Last Modified: 2013-11-22
Good morning,

I'm hoping you experts can shed some light on this very dark situation. Yesterday, we had some sort of virus breakout on our network. It appears to be the w32.spamuzle aka marioforever.exe trojan. Unfortunately I still haven't pin-pointed where it came from. I'm having a hard time removing it. It appears to be on most of my server's shared network drives. I have done extensive scanning on my 3 servers. I have been using Clamwin and McAfee's House Call online scanner and it hasn't found anything on the individual servers. I haven't gotten a chance to scan every individual machine because it's during business hours. I will be doing individual machines this evening when everyone goes home.

I really only seem to be having 1 problem at this time. It seems completely random, no rhyme or reason but a User will be unable to access network resources; shared drive, my documents, etc. They get the following error message. "The network BIOS session limit was exceeded."

If I reboot the client machine that's having problems it will temporarily resolve said problem.

I'm at my end and I'm looking for suggestions. I greatly appreciate your time.
0
Comment
Question by:Bxiie
  • 5
  • 4
  • 2
11 Comments
 

Author Comment

by:Bxiie
ID: 22741814
Perhaps a procedure on how I should be going about this would be greatly appreciated as well. I was planning on doing a virus scan / spyware scan on each of the client workstations in safe mode while the network interface card is disabled to see if I can find the source.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22741846
You have a good procedure there, that's what I'd do. Here's some helpful tips:
http://www.bleepingcomputer.com/forums/topic1628.html

I'd install/update/scan with Malwarebytes too www.malwarebytes.org
0
 

Author Comment

by:Bxiie
ID: 22742202
Just an update on my end. I've mentioned that restarting the computer seems to be a temporary fix for this. Instead of rebooting I have found that if you renew the IP address thru a command prompt it will also resolve the problem temporarily.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 12

Expert Comment

by:alikaz3
ID: 22742289
SYMPTOMS
After you install Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000 Server, you may receive the following error message:
The network BIOS command limit has been reached.

Back to the top
CAUSE
This issue may occur if the following conditions are true:
"      This issue may occur if the client computer submits simultaneous, long-term requests against a file server that uses the Server Message Block (SMB) protocol. An example of a long-term request is when a client computer uses the FindFirstChangeNotification function to monitor a server share for changes.
"      This issue may occur if the MaxCmds registry value setting on the client is less than 50, or the MaxMpxCt registry value setting on the server is less than 50.

Note The MaxMpxCt registry value setting may have a different name on other SMB/CIFS implementations. The Common Internet File System (CIFS) specification refers to it as MaxMpxCount.


I'd say malware is probing/copying/reading your file shares. Even though rebooting makes the error go away, your systems are definitely compromised. I'd disconnect them all ASAP and get your malware procedures going soon. It's Friday so you'll have all weekend to take care of it :D
0
 

Author Comment

by:Bxiie
ID: 22744526
Update - marioforever.exe is constantly being copied to multiple network shares. Does anyone have any suggestion on trying to pin point what machine is doing this?

0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22744684
It's tough, can you bring up the task manager and click the networking tab on each computer? Let them sit at idle and see if any of them have spikes.
0
 
LVL 6

Accepted Solution

by:
clearacid earned 500 total points
ID: 22746539
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

Clear
0
 

Author Comment

by:Bxiie
ID: 22753569
clearacid,

How do I open the logs for object create?
0
 
LVL 6

Expert Comment

by:clearacid
ID: 22754871
These links can help you out with that:

http://technet.microsoft.com/en-us/library/cc757864.aspx

http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm

In the computer performance link - it says you can view what's being deleted and who did it - but you can also see object creations under the security log as well.

Just make sure you set the log retention to a good size file and to overwrite as needed.  Then check the log frequently when you notice any possible problems.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22758314
Very good call clearacid, I wasn't aware of that log function.
0
 

Author Closing Comment

by:Bxiie
ID: 31507168
Thanks Clearacid. I was able to neutralize this virus by removing the "Everyone" permission from my shares. Thank you for your throughout explanation.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now