?
Solved

I have a virus infestation on my entire network with a file name of Mario forever.

Posted on 2008-10-18
7
Medium Priority
?
6,008 Views
Last Modified: 2013-11-22
It is speading to all machines servers and even dc's...trend is detecting on infections and fixing most by renaming them but there are other it is unable to clean or rename i am guessing this is why it continues to spead.
I have contacted trend and they are supposed to get me a bandage but i think they are closed for the weekend because there support no longer answers the phone. Is there any way to contain the virus and keep it from continue to jump all over the network?
0
Comment
Question by:davidilight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 5

Expert Comment

by:Basheerpt
ID: 22749662
Remove Administrative privilege from their respevtive stations from all the network users.
Uninstall any toolbars through add/remove programs
0
 
LVL 6

Expert Comment

by:clearacid
ID: 22749900
I just got hit with that virus - First marioforever.exe

It copies itself through unsecured network shares (generally with everyone modify access)...
To really completely get rid of it - lock down your shares - so only certain people have access....

To track down who is doing it - up your windows security log for object create (that'll let you see who is creating files on that share.....

Another thing is - check the property information of the file it creates - the marioforever / spamuzle variant that i had basically replicates through smb shares and creates autorun.inf and modifies registry keys of the victim computer.....  Basically - it will attempt to launch an application everytime you click on the network share drive (just like a cdrom autorun).

To check to see if the autorun.inf file is there - Click on the network share location - unhide system files and unhide hidden files (both)....

That will display all the hidden stuff.

Click on properties of the autorun.inf and check to see who the owner is - the owner is the one who copied to file over there.

After you find out who did it - take the computer offline and reimage...

Hope it works for you as it did for me

Clear
0
 

Author Comment

by:davidilight
ID: 22750166
thanks clearacid this looks something that might be of great help.

i can locate all the mario forever files but i can not find any autorun.inf files. would the autorun.inf be in the same share as the marioforever file?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Accepted Solution

by:
clearacid earned 2000 total points
ID: 22750435
What are the symptoms you are facing?

printing garbage to printers?  attaching itself to executables?  etc.?

Also; the mario forever virus is called by different names: W32.MarioFev.A, W32.Spamuzle.D, etc.

Here's a link from symantec on how to remove it.....  What I did was created a batch file to remove the registry keys it adds (as suggested by Symantec) and dump it in a group policy as a startup script in AD.

That seemed to be very effective in removing the virus.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-050915-4639-99&tabid=2
0
 

Author Comment

by:davidilight
ID: 22759583
Trend is picking up a number of mario forever infections all over the network on servers, and pc's.  Also seeing cls.exe infections. Trend is catching it and quarantining it.
windows security log for object create is enabled on our shares but i can not figure out how to view these logs.
Also i can not seem to find any auto run files on any of the shares.
I will try getting these reg fixes out to all the machines.

Do you know how i would find out where this infection originated from?
Also have a infection of cls.exe i thought these were the same but looks like maybe not.

thanks for all you help clear acid if you think of anything else please share thanks. i will let you know what i find.

thanks again.

0
 

Expert Comment

by:schnarkle
ID: 22919256
ClearAcid,

Could you post the contents of your batch file?  I'd like to look it over as I am facing the same issue.

thanks,
Doug
0
 

Expert Comment

by:bbroussardexpert
ID: 22981246
I have the Marioforever virus and I have tried everything to get it out of our servers.  I have ran Kaspersky and it seemed to pick it up but the marioforever.exe file just seems to recreate itself.  I have scanned the servers in safemode and that seemed to work for a while althought after a day the virus was back.  If someone has a cure for this PLEASE HELP.
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question