Solved

I have a virus infestation on my entire network with a file name of Mario forever.

Posted on 2008-10-18
7
5,978 Views
Last Modified: 2013-11-22
It is speading to all machines servers and even dc's...trend is detecting on infections and fixing most by renaming them but there are other it is unable to clean or rename i am guessing this is why it continues to spead.
I have contacted trend and they are supposed to get me a bandage but i think they are closed for the weekend because there support no longer answers the phone. Is there any way to contain the virus and keep it from continue to jump all over the network?
0
Comment
Question by:davidilight
7 Comments
 
LVL 5

Expert Comment

by:Basheerpt
ID: 22749662
Remove Administrative privilege from their respevtive stations from all the network users.
Uninstall any toolbars through add/remove programs
0
 
LVL 6

Expert Comment

by:clearacid
ID: 22749900
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

Clear
0
 

Author Comment

by:davidilight
ID: 22750166
thanks clearacid this looks something that might be of great help.

i can locate all the mario forever files but i can not find any autorun.inf files. would the autorun.inf be in the same share as the marioforever file?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 6

Accepted Solution

by:
clearacid earned 500 total points
ID: 22750435
What are the symptoms you are facing?

printing garbage to printers?  attaching itself to executables?  etc.?

Also; the mario forever virus is called by different names: W32.MarioFev.A, W32.Spamuzle.D, etc.

Here's a link from symantec on how to remove it.....  What I did was created a batch file to remove the registry keys it adds (as suggested by Symantec) and dump it in a group policy as a startup script in AD.

That seemed to be very effective in removing the virus.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-050915-4639-99&tabid=2
0
 

Author Comment

by:davidilight
ID: 22759583
Trend is picking up a number of mario forever infections all over the network on servers, and pc's.  Also seeing cls.exe infections. Trend is catching it and quarantining it.
windows security log for object create is enabled on our shares but i can not figure out how to view these logs.
Also i can not seem to find any auto run files on any of the shares.
I will try getting these reg fixes out to all the machines.

Do you know how i would find out where this infection originated from?
Also have a infection of cls.exe i thought these were the same but looks like maybe not.

thanks for all you help clear acid if you think of anything else please share thanks. i will let you know what i find.

thanks again.

0
 

Expert Comment

by:schnarkle
ID: 22919256
ClearAcid,

Could you post the contents of your batch file?  I'd like to look it over as I am facing the same issue.

thanks,
Doug
0
 

Expert Comment

by:bbroussardexpert
ID: 22981246
I have the Marioforever virus and I have tried everything to get it out of our servers.  I have ran Kaspersky and it seemed to pick it up but the marioforever.exe file just seems to recreate itself.  I have scanned the servers in safemode and that seemed to work for a while althought after a day the virus was back.  If someone has a cure for this PLEASE HELP.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Malicius website protection from system 32? 15 74
Recommendation of Antivirus software for Personal Use 19 181
Norton antivirus 11 73
How do I Uninstall Sophos endpoint Security 8 68
Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now