Content

W32/Mariofev.worm

Type
Virus
SubType
Worm
Discovery Date
05/14/2008
Length
Varies
Minimum DAT
5296 (05/15/2008)
Updated DAT
5809 (11/21/2009)
Minimum Engine
5.1.00
Description Added
05/14/2008
Description Modified
01/30/2009 4:01 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

--Update January 30, 2009--

The below characteristics are unique to some variants:

Files Added

  • %SYSDIR%\system32\2rg3.es
  • %SYSDIR%\system32\4rr.pa
  • %SYSDIR%\system32\celf
  • %SYSDIR%\system32\ef3p.ee
  • %SYSDIR%\system32\fks.as
  • %SYSDIR%\system32\gr1.e
  • %SYSDIR%\system32\zred.pa
  • %SYSDIR%\system32\dllcache\user32.dll 

Registry

The following Value/Data pairs was observed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "ckpInit_Dlls" "nvaux32"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core "EnableConcurrentSessions" "1"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD "NextInstance" "1"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP "NextInstance" "1"

Network

It attempts to make network connections to the following domains:

  • hxxp://[removed]il.ru
  • hxxp://Voly[removed]s.com

 

 

-- Update December 19, 2008 --

The below characteristics are unique to some variants.

Files Added

Upon execution, this worm drops the following files:

  • %SYSDIR%\adj.j
  • %SYSDIR%\aston.mt
  • %SYSDIR%\devh.e2
  • %SYSDIR%\e.spa
  • %SYSDIR%\nvaux32.dll
  • %SYSDIR%\rdxz.e
  • %SYSDIR%\[Random name]

Registry

The following Value/Data pairs are observed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "st" [Number of infection attempts]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "oupInit_Dlls" "nvaux32"


Network

It attempts to make network connections to the following domain:

  • hxxp://92.62.100.92/tpsa/gate/[Removed]

 

-- Update December 12, 2008 --

With some variants, these additional files have been added:

  • %SYSDIR%\System32\aston.mt
  • %SYSDIR%\System32\Drivers\atmapi.sys
  • %SYSDIR%\System32\fop.e
  • %SYSDIR%\System32\kj.je
  • %SYSDIR%\System32\nvaux32.dll
  • %SYSDIR%\System32\r33.es
  • %SYSDIR%\System32\v1.e2
  • %SYSDIR%\System32\zed.pa

 

Files Added

Upon execution, this worm drops a number of files of executable format.

  • %SYSDIR%\bmf.cs
  • %SYSDIR%\ccs.so
  • %SYSDIR%\gh.l
  • %SYSDIR%\mn.n
  • %SYSDIR%\ntpl.bin
  • %SYSDIR%\nvrsma.dll
  • %SYSDIR%\[Random name]
  • %SYSDIR%\yl.po

 

Files Modified

It modifies the following files:

  • %SYSDIR%\user32.dll
  • %SYSDIR%\dllcache\user32.dll

 

Registry

It adds key with the following format:

HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] such as:

  • HKEY_LOCAL_MACHINE\SOFTWARE\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\6
  • HKEY_LOCAL_MACHINE\SOFTWARE\7
  • HKEY_LOCAL_MACHINE\SOFTWARE\8
  • HKEY_LOCAL_MACHINE\SOFTWARE\9

 

The following Value/Data pairs are observed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ccnt" [Number of infection attempts]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "bjpInit_Dlls" "nvrsma"

 

Modifies registry entries related to popular software (this list is not comprehensive):

  • Ad-Aware SE Personal
  • Arovax AntiSpyware
  • Chilkat Software, Inc.
  • ComputerAssociates\eTrustPestPatrol
  • McAfee\McAfee AntiSpyware
  • McAfee\VirusScan
  • Panda Software
  • PepiMK Software\SpybotSnD
  • SpySweeper
  • Symantec\Symantec AntiVirus
  • Vba32
  • VMware, Inc.

 

Network

It attempts to make network connections to the following domain:

  • hxxp://66.36.241.45/sdb/gate/[Removed]

Symptoms

  • Presence of aforementioned registry keys and files.

     

    • Method of Infection

    It attempts to use brute force with a small list of commonly used passwords in order to gain access to shares if the share is password protected.

    Upon successfully gaining access, it copies itself.

    Typical entry vector is via removable media, P2P programs, open network shares. However like many worms it could be spammed, uploaded via IM or downloaded or installed via drive by installs.  

     

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This file is a worm which attempts to spread by copying itself over Network Shares.

     

    Aliases

    • W32.Spamuzle.D (Symantec)

    Characteristics

    Characteristics -

    --Update January 30, 2009--

    The below characteristics are unique to some variants:

    Files Added

    • %SYSDIR%\system32\2rg3.es
    • %SYSDIR%\system32\4rr.pa
    • %SYSDIR%\system32\celf
    • %SYSDIR%\system32\ef3p.ee
    • %SYSDIR%\system32\fks.as
    • %SYSDIR%\system32\gr1.e
    • %SYSDIR%\system32\zred.pa
    • %SYSDIR%\system32\dllcache\user32.dll 

    Registry

    The following Value/Data pairs was observed:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "ckpInit_Dlls" "nvaux32"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core "EnableConcurrentSessions" "1"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD "NextInstance" "1"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP "NextInstance" "1"

    Network

    It attempts to make network connections to the following domains:

    • hxxp://[removed]il.ru
    • hxxp://Voly[removed]s.com

     

     

    -- Update December 19, 2008 --

    The below characteristics are unique to some variants.

    Files Added

    Upon execution, this worm drops the following files:

    • %SYSDIR%\adj.j
    • %SYSDIR%\aston.mt
    • %SYSDIR%\devh.e2
    • %SYSDIR%\e.spa
    • %SYSDIR%\nvaux32.dll
    • %SYSDIR%\rdxz.e
    • %SYSDIR%\[Random name]

    Registry

    The following Value/Data pairs are observed:

    • HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "st" [Number of infection attempts]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "oupInit_Dlls" "nvaux32"


    Network

    It attempts to make network connections to the following domain:

    • hxxp://92.62.100.92/tpsa/gate/[Removed]

     

    -- Update December 12, 2008 --

    With some variants, these additional files have been added:

    • %SYSDIR%\System32\aston.mt
    • %SYSDIR%\System32\Drivers\atmapi.sys
    • %SYSDIR%\System32\fop.e
    • %SYSDIR%\System32\kj.je
    • %SYSDIR%\System32\nvaux32.dll
    • %SYSDIR%\System32\r33.es
    • %SYSDIR%\System32\v1.e2
    • %SYSDIR%\System32\zed.pa

     

    Files Added

    Upon execution, this worm drops a number of files of executable format.

    • %SYSDIR%\bmf.cs
    • %SYSDIR%\ccs.so
    • %SYSDIR%\gh.l
    • %SYSDIR%\mn.n
    • %SYSDIR%\ntpl.bin
    • %SYSDIR%\nvrsma.dll
    • %SYSDIR%\[Random name]
    • %SYSDIR%\yl.po

     

    Files Modified

    It modifies the following files:

    • %SYSDIR%\user32.dll
    • %SYSDIR%\dllcache\user32.dll

     

    Registry

    It adds key with the following format:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] such as:

    • HKEY_LOCAL_MACHINE\SOFTWARE\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\6
    • HKEY_LOCAL_MACHINE\SOFTWARE\7
    • HKEY_LOCAL_MACHINE\SOFTWARE\8
    • HKEY_LOCAL_MACHINE\SOFTWARE\9

     

    The following Value/Data pairs are observed:

    • HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ccnt" [Number of infection attempts]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "bjpInit_Dlls" "nvrsma"

     

    Modifies registry entries related to popular software (this list is not comprehensive):

    • Ad-Aware SE Personal
    • Arovax AntiSpyware
    • Chilkat Software, Inc.
    • ComputerAssociates\eTrustPestPatrol
    • McAfee\McAfee AntiSpyware
    • McAfee\VirusScan
    • Panda Software
    • PepiMK Software\SpybotSnD
    • SpySweeper
    • Symantec\Symantec AntiVirus
    • Vba32
    • VMware, Inc.

     

    Network

    It attempts to make network connections to the following domain:

    • hxxp://66.36.241.45/sdb/gate/[Removed]

    Symptoms

    Symptoms -

  • Presence of aforementioned registry keys and files.

     

    • Method of Infection

    Method of Infection -

    It attempts to use brute force with a small list of commonly used passwords in order to gain access to shares if the share is password protected.

    Upon successfully gaining access, it copies itself.

    Typical entry vector is via removable media, P2P programs, open network shares. However like many worms it could be spammed, uploaded via IM or downloaded or installed via drive by installs.  

     

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A