Solved

w32.spamuzle / marioforever.exe problem - The network BIOS session limit was suceeded.

Posted on 2008-10-17
11
4,351 Views
Last Modified: 2013-11-22
Good morning,

I'm hoping you experts can shed some light on this very dark situation. Yesterday, we had some sort of virus breakout on our network. It appears to be the w32.spamuzle aka marioforever.exe trojan. Unfortunately I still haven't pin-pointed where it came from. I'm having a hard time removing it. It appears to be on most of my server's shared network drives. I have done extensive scanning on my 3 servers. I have been using Clamwin and McAfee's House Call online scanner and it hasn't found anything on the individual servers. I haven't gotten a chance to scan every individual machine because it's during business hours. I will be doing individual machines this evening when everyone goes home.

I really only seem to be having 1 problem at this time. It seems completely random, no rhyme or reason but a User will be unable to access network resources; shared drive, my documents, etc. They get the following error message. "The network BIOS session limit was exceeded."

If I reboot the client machine that's having problems it will temporarily resolve said problem.

I'm at my end and I'm looking for suggestions. I greatly appreciate your time.
0
Comment
Question by:Bxiie
  • 5
  • 4
  • 2
11 Comments
 

Author Comment

by:Bxiie
ID: 22741814
Perhaps a procedure on how I should be going about this would be greatly appreciated as well. I was planning on doing a virus scan / spyware scan on each of the client workstations in safe mode while the network interface card is disabled to see if I can find the source.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22741846
You have a good procedure there, that's what I'd do. Here's some helpful tips:
http://www.bleepingcomputer.com/forums/topic1628.html

I'd install/update/scan with Malwarebytes too www.malwarebytes.org
0
 

Author Comment

by:Bxiie
ID: 22742202
Just an update on my end. I've mentioned that restarting the computer seems to be a temporary fix for this. Instead of rebooting I have found that if you renew the IP address thru a command prompt it will also resolve the problem temporarily.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22742289
SYMPTOMS
After you install Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000 Server, you may receive the following error message:
The network BIOS command limit has been reached.

Back to the top
CAUSE
This issue may occur if the following conditions are true:
"      This issue may occur if the client computer submits simultaneous, long-term requests against a file server that uses the Server Message Block (SMB) protocol. An example of a long-term request is when a client computer uses the FindFirstChangeNotification function to monitor a server share for changes.
"      This issue may occur if the MaxCmds registry value setting on the client is less than 50, or the MaxMpxCt registry value setting on the server is less than 50.

Note The MaxMpxCt registry value setting may have a different name on other SMB/CIFS implementations. The Common Internet File System (CIFS) specification refers to it as MaxMpxCount.


I'd say malware is probing/copying/reading your file shares. Even though rebooting makes the error go away, your systems are definitely compromised. I'd disconnect them all ASAP and get your malware procedures going soon. It's Friday so you'll have all weekend to take care of it :D
0
 

Author Comment

by:Bxiie
ID: 22744526
Update - marioforever.exe is constantly being copied to multiple network shares. Does anyone have any suggestion on trying to pin point what machine is doing this?

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 12

Expert Comment

by:alikaz3
ID: 22744684
It's tough, can you bring up the task manager and click the networking tab on each computer? Let them sit at idle and see if any of them have spikes.
0
 
LVL 6

Accepted Solution

by:
clearacid earned 500 total points
ID: 22746539
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

Clear
0
 

Author Comment

by:Bxiie
ID: 22753569
clearacid,

How do I open the logs for object create?
0
 
LVL 6

Expert Comment

by:clearacid
ID: 22754871
These links can help you out with that:

http://technet.microsoft.com/en-us/library/cc757864.aspx

http://www.computerperformance.co.uk/w2k3/gp/group_policy_security_audit.htm

In the computer performance link - it says you can view what's being deleted and who did it - but you can also see object creations under the security log as well.

Just make sure you set the log retention to a good size file and to overwrite as needed.  Then check the log frequently when you notice any possible problems.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22758314
Very good call clearacid, I wasn't aware of that log function.
0
 

Author Closing Comment

by:Bxiie
ID: 31507168
Thanks Clearacid. I was able to neutralize this virus by removing the "Everyone" permission from my shares. Thank you for your throughout explanation.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LAN or WAN ? 11 63
IPhone using PC internet 17 45
NSD FAIL 2 24
Sophos EC migration to Cloud. 1 46
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now