Solved

I have a virus infestation on my entire network with a file name of Mario forever.

Posted on 2008-10-18
7
5,969 Views
Last Modified: 2013-11-22
It is speading to all machines servers and even dc's...trend is detecting on infections and fixing most by renaming them but there are other it is unable to clean or rename i am guessing this is why it continues to spead.
I have contacted trend and they are supposed to get me a bandage but i think they are closed for the weekend because there support no longer answers the phone. Is there any way to contain the virus and keep it from continue to jump all over the network?
0
Comment
Question by:davidilight
7 Comments
 
LVL 5

Expert Comment

by:Basheerpt
ID: 22749662
Remove Administrative privilege from their respevtive stations from all the network users.
Uninstall any toolbars through add/remove programs
0
 
LVL 6

Expert Comment

by:clearacid
ID: 22749900
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

Clear
0
 

Author Comment

by:davidilight
ID: 22750166
thanks clearacid this looks something that might be of great help.

i can locate all the mario forever files but i can not find any autorun.inf files. would the autorun.inf be in the same share as the marioforever file?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Accepted Solution

by:
clearacid earned 500 total points
ID: 22750435
What are the symptoms you are facing?

printing garbage to printers?  attaching itself to executables?  etc.?

Also; the mario forever virus is called by different names: W32.MarioFev.A, W32.Spamuzle.D, etc.

Here's a link from symantec on how to remove it.....  What I did was created a batch file to remove the registry keys it adds (as suggested by Symantec) and dump it in a group policy as a startup script in AD.

That seemed to be very effective in removing the virus.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-050915-4639-99&tabid=2
0
 

Author Comment

by:davidilight
ID: 22759583
Trend is picking up a number of mario forever infections all over the network on servers, and pc's.  Also seeing cls.exe infections. Trend is catching it and quarantining it.
windows security log for object create is enabled on our shares but i can not figure out how to view these logs.
Also i can not seem to find any auto run files on any of the shares.
I will try getting these reg fixes out to all the machines.

Do you know how i would find out where this infection originated from?
Also have a infection of cls.exe i thought these were the same but looks like maybe not.

thanks for all you help clear acid if you think of anything else please share thanks. i will let you know what i find.

thanks again.

0
 

Expert Comment

by:schnarkle
ID: 22919256
ClearAcid,

Could you post the contents of your batch file?  I'd like to look it over as I am facing the same issue.

thanks,
Doug
0
 

Expert Comment

by:bbroussardexpert
ID: 22981246
I have the Marioforever virus and I have tried everything to get it out of our servers.  I have ran Kaspersky and it seemed to pick it up but the marioforever.exe file just seems to recreate itself.  I have scanned the servers in safemode and that seemed to work for a while althought after a day the virus was back.  If someone has a cure for this PLEASE HELP.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now