Content

W32/Mariofev.worm

Type
Virus
SubType
Worm
Discovery Date
05/14/2008
Length
Varies
Minimum DAT
5296 (05/15/2008)
Updated DAT
5370 (08/26/2008)
Minimum Engine
5.1.00
Description Added
05/14/2008
Description Modified
05/14/2008 5:55 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Files Added

Upon execution, this worm drops a number of files of executable format.

  • %SYSDIR%\bmf.cs
  • %SYSDIR%\ccs.so
  • %SYSDIR%\gh.l
  • %SYSDIR%\mn.n
  • %SYSDIR%\ntpl.bin
  • %SYSDIR%\nvrsma.dll
  • %SYSDIR%\[Random name]
  • %SYSDIR%\yl.po

 

Files Modified

It modifies the following files:

  • %SYSDIR%\user32.dll
  • %SYSDIR%\dllcache\user32.dll

 

Registry

It adds key with the following format:

HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] such as:

  • HKEY_LOCAL_MACHINE\SOFTWARE\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\6
  • HKEY_LOCAL_MACHINE\SOFTWARE\7
  • HKEY_LOCAL_MACHINE\SOFTWARE\8
  • HKEY_LOCAL_MACHINE\SOFTWARE\9

 

The following Value/Data pairs are observed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ccnt" [Number of infection attempts]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "bjpInit_Dlls" "nvrsma"

 

Modifies registry entries related to popular software (this list is not comprehensive):

  • Ad-Aware SE Personal
  • Arovax AntiSpyware
  • Chilkat Software, Inc.
  • ComputerAssociates\eTrustPestPatrol
  • McAfee\McAfee AntiSpyware
  • McAfee\VirusScan
  • Panda Software
  • PepiMK Software\SpybotSnD
  • SpySweeper
  • Symantec\Symantec AntiVirus
  • Vba32
  • VMware, Inc.

 

Network

It attempts to make network connections to the following domain:

  • hxxp://66.36.241.45/sdb/gate/[Removed]

Symptoms

  • Presence of aforementioned registry keys and files.

     

    • Method of Infection

    It attempts to use brute force with a small list of commonly used passwords in order to gain access to shares if a share is password protected. Upon successfully gaining access, it copies itself.

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This file is a worm which attempts to spread by copying itself over Network Shares.

    Characteristics

    Characteristics -

    Files Added

    Upon execution, this worm drops a number of files of executable format.

    • %SYSDIR%\bmf.cs
    • %SYSDIR%\ccs.so
    • %SYSDIR%\gh.l
    • %SYSDIR%\mn.n
    • %SYSDIR%\ntpl.bin
    • %SYSDIR%\nvrsma.dll
    • %SYSDIR%\[Random name]
    • %SYSDIR%\yl.po

     

    Files Modified

    It modifies the following files:

    • %SYSDIR%\user32.dll
    • %SYSDIR%\dllcache\user32.dll

     

    Registry

    It adds key with the following format:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] such as:

    • HKEY_LOCAL_MACHINE\SOFTWARE\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\6
    • HKEY_LOCAL_MACHINE\SOFTWARE\7
    • HKEY_LOCAL_MACHINE\SOFTWARE\8
    • HKEY_LOCAL_MACHINE\SOFTWARE\9

     

    The following Value/Data pairs are observed:

    • HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ccnt" [Number of infection attempts]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "bjpInit_Dlls" "nvrsma"

     

    Modifies registry entries related to popular software (this list is not comprehensive):

    • Ad-Aware SE Personal
    • Arovax AntiSpyware
    • Chilkat Software, Inc.
    • ComputerAssociates\eTrustPestPatrol
    • McAfee\McAfee AntiSpyware
    • McAfee\VirusScan
    • Panda Software
    • PepiMK Software\SpybotSnD
    • SpySweeper
    • Symantec\Symantec AntiVirus
    • Vba32
    • VMware, Inc.

     

    Network

    It attempts to make network connections to the following domain:

    • hxxp://66.36.241.45/sdb/gate/[Removed]

    Symptoms

    Symptoms -

  • Presence of aforementioned registry keys and files.

     

    • Method of Infection

    Method of Infection -

    It attempts to use brute force with a small list of commonly used passwords in order to gain access to shares if a share is password protected. Upon successfully gaining access, it copies itself.

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A