McAfee > Theat Center > Virus Detail Page

Overview

W32/Romario@M is worm that masquerades to be a copy of the popular Super Mario Brothers game. It spreads by mailing itself  using Outlook and also copies itself to removable devices and open shares on a network. W32/Romario@M was written using Microsoft Visual C++ 6.0.

Aliases

• Virus.Win32.Romario (Aladdin)

• Virus.Win32.Romario.a (IKARUS)

• Virus.Win32.Romario.a (Kaspersky)

• W32/Romario-A (Sophos)

• W32/Romario.B (Fortinet)

• Win32.Worm.Romario.A (BitDefender)

• Worm.Romario.B (VirusBuster)

Characteristics

 -- Update July 31, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/30/mario_worm/

--

W32/Romario@M is worm that masquerades to be a copy of the popular Super Mario Brothers game. It spreads by mailing itself using Outlook and also copies itself to removable devices and open shares on a network. W32/Romario@M was written using Microsoft Visual C++ 6.0.
 
Upon execution, it drops copies of itself onto the following locations on disk:

\Mario.exe
\explorer.exe
\xplorer.exe

\GAME\Bola.exe
\GAME\Crazy Mouse.exe
\GAME\Dark Screen.exe
\GAME\Goncang.exe
\GAME\Kartu.exe
\GAME\Kelap Kelip.exe
\GAME\Layar Jatuh.exe
\GAME\Legend.exe
\GAME\Minesweeper.exe
\GAME\My Heart.exe
\GAME\Pink Panther.exe
\GAME\Smart.exe
\GAME\Start Hide.exe
\GAME\Text Animation.exe
\GAME\XP Button.exe

\Documents and Settings\All Users\Documents\Bola Pantul.exe
\Documents and Settings\All Users\Documents\FreeCard.exe
\Documents and Settings\All Users\Documents\MyHearts.exe

\Documents and Settings\User\Application Data\Alisa.exe
\Documents and Settings\User\Application Data\Emma.exe
\Documents and Settings\User\My Documents\Mario Bross.exe
\Documents and Settings\User\My Documents\Minesweeper.exe
\Documents and Settings\User\My Documents\Solitaire Card.exe

%WINDIR%\winlogon.exe
%WINDIR%\xplorer.exe
%WINDIR%\%SYSDIR%\msvbvm60.dll.exe
%WINDIR%\%SYSDIR%\PANGKALP1NANG.EXE
%WINDIR%\%SYSDIR%\SMUNSA_PKP_GAME.EXE

Also creates the following files as part of its installation routine:

C:\Alicia.htt
C:\desktop.ini
\Documents and Settings\User\Application Data\Aliciana.htt
\Documents and Settings\User\Application Data\Emira.ini
%WINDIR%\Alicia.htt

Drops and executes a legitimate copy of the Super Mario Brothers game in order to trick people.

C:\program files\mario.exe

Creates the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"SmansaApp" = "%WINDIR%\winlogon.exe"
"Random KeyName" = "%WINDIR%\winlogon.exe"

Modifies the following keys to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

"Shell" = explorer.exe "C:\explorer.exe"
"Userinit" = %WINDIR%\%SYSDIR%\userinit.exe, C:\explorer.exe

Creates a scheduled task to run the worm everyday at a specified time.

%WINDIR%\Tasks\At1.job

Symptoms

Modifies the registry so that the worm is executed when files of the following extensions are run.

HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command  
HKEY_CLASSES_ROOT\lnkfile\shell\open\command
HKEY_CLASSES_ROOT\movfile\shell\open\command
HKEY_CLASSES_ROOT\MPEG File\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command                                   
HKEY_CLASSES_ROOT\scrfile\shell\open\command                                          
HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command

Old data: "%1" %*
New data: "C:\explorer.exe" "%1" %*    

Changes the default start page of Microsoft Internet Explorer to point to a Wiki article:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\

"Start Page" = http://en.wikipedia.org/wiki/Front_Mission_3

Disable System Restore and tampers with safe mode boot by modifying the registry keys:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore

"DisableConfig" = "1"
"DisableSR" = "1"

HKEY_LOCAL_MACHINE\Software\SYSTEM\CurrentControlSet\Control\SafeBoot\Alternate Shell

Old data: "cmd.exe"
New data: "C:\explorer.exe"

Creates a registry entry which ensures that hidden files cannot be seen in Windows Explorer:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
"UncheckedValue" =

Method of Infection

Propagation via Mail:

W32/Romario@M does not have its own SMTP engine. It uses MAPI and is dependent on Outlook client being configured with a valid SMTP server address in order to spread. It sends a copy of itself to victims
by using subjects of existing emails in the inbox.

Since the subject is from a previous mail, this technique is highly successful into tricking people that
the mail is genuine.

Propagation via Removable drives and Network Shares:

W32/Romario@M copies itself to removable drives by creating a folder "GAME" on the removable drive and copying itself to that folder using the following names:

\GAME\Bola.exe
\GAME\Crazy Mouse.exe
\GAME\Dark Screen.exe
\GAME\Goncang.exe
\GAME\Kartu.exe
\GAME\Kelap Kelip.exe
\GAME\Layar Jatuh.exe
\GAME\Legend.exe
\GAME\Minesweeper.exe
\GAME\My Heart.exe
\GAME\Pink Panther.exe
\GAME\Smart.exe
\GAME\Start Hide.exe
\GAME\Text Animation.exe
\GAME\XP Button.exe

It also copies itself to open shares on a network.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Romario@M is worm that masquerades to be a copy of the popular Super Mario Brothers game. It spreads by mailing itself  using Outlook and also copies itself to removable devices and open shares on a network. W32/Romario@M was written using Microsoft Visual C++ 6.0.

Aliases

• Virus.Win32.Romario (Aladdin)

• Virus.Win32.Romario.a (IKARUS)

• Virus.Win32.Romario.a (Kaspersky)

• W32/Romario-A (Sophos)

• W32/Romario.B (Fortinet)

• Win32.Worm.Romario.A (BitDefender)

• Worm.Romario.B (VirusBuster)

Characteristics

Characteristics -

 -- Update July 31, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/30/mario_worm/

--

W32/Romario@M is worm that masquerades to be a copy of the popular Super Mario Brothers game. It spreads by mailing itself using Outlook and also copies itself to removable devices and open shares on a network. W32/Romario@M was written using Microsoft Visual C++ 6.0.
 
Upon execution, it drops copies of itself onto the following locations on disk:

\Mario.exe
\explorer.exe
\xplorer.exe

\GAME\Bola.exe
\GAME\Crazy Mouse.exe
\GAME\Dark Screen.exe
\GAME\Goncang.exe
\GAME\Kartu.exe
\GAME\Kelap Kelip.exe
\GAME\Layar Jatuh.exe
\GAME\Legend.exe
\GAME\Minesweeper.exe
\GAME\My Heart.exe
\GAME\Pink Panther.exe
\GAME\Smart.exe
\GAME\Start Hide.exe
\GAME\Text Animation.exe
\GAME\XP Button.exe

\Documents and Settings\All Users\Documents\Bola Pantul.exe
\Documents and Settings\All Users\Documents\FreeCard.exe
\Documents and Settings\All Users\Documents\MyHearts.exe

\Documents and Settings\User\Application Data\Alisa.exe
\Documents and Settings\User\Application Data\Emma.exe
\Documents and Settings\User\My Documents\Mario Bross.exe
\Documents and Settings\User\My Documents\Minesweeper.exe
\Documents and Settings\User\My Documents\Solitaire Card.exe

%WINDIR%\winlogon.exe
%WINDIR%\xplorer.exe
%WINDIR%\%SYSDIR%\msvbvm60.dll.exe
%WINDIR%\%SYSDIR%\PANGKALP1NANG.EXE
%WINDIR%\%SYSDIR%\SMUNSA_PKP_GAME.EXE

Also creates the following files as part of its installation routine:

C:\Alicia.htt
C:\desktop.ini
\Documents and Settings\User\Application Data\Aliciana.htt
\Documents and Settings\User\Application Data\Emira.ini
%WINDIR%\Alicia.htt

Drops and executes a legitimate copy of the Super Mario Brothers game in order to trick people.

C:\program files\mario.exe

Creates the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"SmansaApp" = "%WINDIR%\winlogon.exe"
"Random KeyName" = "%WINDIR%\winlogon.exe"

Modifies the following keys to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

"Shell" = explorer.exe "C:\explorer.exe"
"Userinit" = %WINDIR%\%SYSDIR%\userinit.exe, C:\explorer.exe

Creates a scheduled task to run the worm everyday at a specified time.

%WINDIR%\Tasks\At1.job

Symptoms

Symptoms -

Modifies the registry so that the worm is executed when files of the following extensions are run.

HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command  
HKEY_CLASSES_ROOT\lnkfile\shell\open\command
HKEY_CLASSES_ROOT\movfile\shell\open\command
HKEY_CLASSES_ROOT\MPEG File\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command                                   
HKEY_CLASSES_ROOT\scrfile\shell\open\command                                          
HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command

Old data: "%1" %*
New data: "C:\explorer.exe" "%1" %*    

Changes the default start page of Microsoft Internet Explorer to point to a Wiki article:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\

"Start Page" = http://en.wikipedia.org/wiki/Front_Mission_3

Disable System Restore and tampers with safe mode boot by modifying the registry keys:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore

"DisableConfig" = "1"
"DisableSR" = "1"

HKEY_LOCAL_MACHINE\Software\SYSTEM\CurrentControlSet\Control\SafeBoot\Alternate Shell

Old data: "cmd.exe"
New data: "C:\explorer.exe"

Creates a registry entry which ensures that hidden files cannot be seen in Windows Explorer:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
"UncheckedValue" =

Method of Infection

Method of Infection -

Propagation via Mail:

W32/Romario@M does not have its own SMTP engine. It uses MAPI and is dependent on Outlook client being configured with a valid SMTP server address in order to spread. It sends a copy of itself to victims
by using subjects of existing emails in the inbox.

Since the subject is from a previous mail, this technique is highly successful into tricking people that
the mail is genuine.

Propagation via Removable drives and Network Shares:

W32/Romario@M copies itself to removable drives by creating a folder "GAME" on the removable drive and copying itself to that folder using the following names:

\GAME\Bola.exe
\GAME\Crazy Mouse.exe
\GAME\Dark Screen.exe
\GAME\Goncang.exe
\GAME\Kartu.exe
\GAME\Kelap Kelip.exe
\GAME\Layar Jatuh.exe
\GAME\Legend.exe
\GAME\Minesweeper.exe
\GAME\My Heart.exe
\GAME\Pink Panther.exe
\GAME\Smart.exe
\GAME\Start Hide.exe
\GAME\Text Animation.exe
\GAME\XP Button.exe

It also copies itself to open shares on a network.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A