• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6015
  • Last Modified:

I have a virus infestation on my entire network with a file name of Mario forever.

It is speading to all machines servers and even dc's...trend is detecting on infections and fixing most by renaming them but there are other it is unable to clean or rename i am guessing this is why it continues to spead.
I have contacted trend and they are supposed to get me a bandage but i think they are closed for the weekend because there support no longer answers the phone. Is there any way to contain the virus and keep it from continue to jump all over the network?
1 Solution
Remove Administrative privilege from their respevtive stations from all the network users.
Uninstall any toolbars through add/remove programs
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

davidilightAuthor Commented:
thanks clearacid this looks something that might be of great help.

i can locate all the mario forever files but i can not find any autorun.inf files. would the autorun.inf be in the same share as the marioforever file?
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

What are the symptoms you are facing?

printing garbage to printers?  attaching itself to executables?  etc.?

Also; the mario forever virus is called by different names: W32.MarioFev.A, W32.Spamuzle.D, etc.

Here's a link from symantec on how to remove it.....  What I did was created a batch file to remove the registry keys it adds (as suggested by Symantec) and dump it in a group policy as a startup script in AD.

That seemed to be very effective in removing the virus.

davidilightAuthor Commented:
Trend is picking up a number of mario forever infections all over the network on servers, and pc's.  Also seeing cls.exe infections. Trend is catching it and quarantining it.
windows security log for object create is enabled on our shares but i can not figure out how to view these logs.
Also i can not seem to find any auto run files on any of the shares.
I will try getting these reg fixes out to all the machines.

Do you know how i would find out where this infection originated from?
Also have a infection of cls.exe i thought these were the same but looks like maybe not.

thanks for all you help clear acid if you think of anything else please share thanks. i will let you know what i find.

thanks again.


Could you post the contents of your batch file?  I'd like to look it over as I am facing the same issue.

I have the Marioforever virus and I have tried everything to get it out of our servers.  I have ran Kaspersky and it seemed to pick it up but the marioforever.exe file just seems to recreate itself.  I have scanned the servers in safemode and that seemed to work for a while althought after a day the virus was back.  If someone has a cure for this PLEASE HELP.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now