Our network is infected with marioforever.exe and I can't get rid of it.  I have tried everything in these post but nothing works.  Please help.

Posted on 2008-11-17
Medium Priority
Last Modified: 2013-11-22
Our network has been infected with the marioforever.exe.  It has put the file in all the shares on the network servers.  I have tried many av programs including Kaspersky and malware bytes and both detected the virus and remove it for a short time but it just comes back.  I have also tried removing it in safe mode and that works for awhile but  the file still comes back.  Please help.
Question by:bbroussardexpert
  • 2
  • 2
LVL 12

Expert Comment

by:Hugh Fraser
ID: 22981832
LVL 27

Accepted Solution

David-Howard earned 750 total points
ID: 22998699
This virus propagates itself to root on infected systems. Meaning, you will need to scan your network and your systems (I recommend in Safe Mode) with updated anti-virus. Norton and McAfee are stated as recogonizing this virus and have updated definition files for it.

Expert Comment

ID: 23149643
ARgh, I have this too on our network.....luckily its staying local and not going over the WAN to our other sites.

Anyways, I've got about 15-20 infected PC's...........but no print jobs are coming out.  Every once in awhile I see the Marioforever.exe sitting in the shared drive.....AVG alerts me, then moves it to vault.  Of course it comes back.  I've emailed them already and still waiting for a response.

The thing that I dont get, is if im fixing this 2 or 3 pc's at a time............Wont it just get reinfected from the other PC's ?   I mean, It started at one PC, and spread to the rest of them
LVL 12

Assisted Solution

by:Hugh Fraser
Hugh Fraser earned 750 total points
ID: 23154426
It's possible. According to the Symantec writeup, the worm tries to copy itself to network shares using one of the following passwords:
    * !@#
    * 1212
    * 123
    * 123456
    * 1313
    * 666
    * 777
    * adm
    * admin
    * administrator
    * administrator
    * asa
    * pass
    * password
    * qaz
    * qazxsw
    * qqq
    * qwerty
    * test
    * zaq
    * zaqwsx
    * zzz

Once the AV signatures are updated, it will be blocked. If you've got an enterprise AV solution, it should just be a matter of getting the updates done. One of the recommendations is to enforce password policies to prevent simple guessable passwords.

Expert Comment

ID: 23174491
Well I believe I had 2 on our network at the same time possible.  

The first one was a service created called OKAMAI and it was running CLS.EXE which was executing every few minutes...so certain programs would just close (like our fax software).   I removed all OKAMAI entries from the registry, rebooted, and the service was gone.

As for the whole marioforever.......we used AVG here,and all AVG would do is notify us of Marioforever.exe.  So, I ran I think 4-5 different anti-virus programs. Each would tell me a different file was a backdoor, or infected.  The big thing was to TURN OFF SYSTEM RESTORE......the virus was hiding it self in the restore points...which apparently aren't scanned. Once Sys Restore is turned off, all restore points are deleted.

I also went around to every PC and deleted ATMAPI.SYS,   Re-installed a new USER32.DLL off the recovery console (one Anti-Vi told me it was infected)...del'd the back up User32, and the worst, was NVAUX32.dll.......had to be done from a dos prompt - eg: the recovery disk. (safe mode wouldnt work either..file was in use obviously)

I also have a band-aid on things right now.....I created txt files and saved them as .exe's and named them marioforever.exe and put them in the shared drives.

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question