Content
W32/Mariofev.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 05/14/2008
- Length
- Varies
- Minimum DAT
- 5296 (05/15/2008)
- Updated DAT
- 5809 (11/21/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 05/14/2008
- Description Modified
- 01/30/2009 4:01 PM (PT)
Tab Navigation
Characteristics
--Update January 30, 2009--
The below characteristics are unique to some variants:
Files Added
- %SYSDIR%\system32\2rg3.es
- %SYSDIR%\system32\4rr.pa
- %SYSDIR%\system32\celf
- %SYSDIR%\system32\ef3p.ee
- %SYSDIR%\system32\fks.as
- %SYSDIR%\system32\gr1.e
- %SYSDIR%\system32\zred.pa
- %SYSDIR%\system32\dllcache\user32.dll
Registry
The following Value/Data pairs was observed:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "ckpInit_Dlls" "nvaux32"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core "EnableConcurrentSessions" "1"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD "NextInstance" "1"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP "NextInstance" "1"
Network
It attempts to make network connections to the following domains:
- hxxp://[removed]il.ru
- hxxp://Voly[removed]s.com
-- Update December 19, 2008 --
The below characteristics are unique to some variants.
Files Added
Upon execution, this worm drops the following files:
- %SYSDIR%\adj.j
- %SYSDIR%\aston.mt
- %SYSDIR%\devh.e2
- %SYSDIR%\e.spa
- %SYSDIR%\nvaux32.dll
- %SYSDIR%\rdxz.e
- %SYSDIR%\[Random name]
Registry
The following Value/Data pairs are observed:
- HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "st" [Number of infection attempts]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "oupInit_Dlls" "nvaux32"
Network
It attempts to make network connections to the following domain:
- hxxp://92.62.100.92/tpsa/gate/[Removed]
-- Update December 12, 2008 --
With some variants, these additional files have been added:
- %SYSDIR%\System32\aston.mt
- %SYSDIR%\System32\Drivers\atmapi.sys
- %SYSDIR%\System32\fop.e
- %SYSDIR%\System32\kj.je
- %SYSDIR%\System32\nvaux32.dll
- %SYSDIR%\System32\r33.es
- %SYSDIR%\System32\v1.e2
- %SYSDIR%\System32\zed.pa
Files Added
Upon execution, this worm drops a number of files of executable format.
- %SYSDIR%\bmf.cs
- %SYSDIR%\ccs.so
- %SYSDIR%\gh.l
- %SYSDIR%\mn.n
- %SYSDIR%\ntpl.bin
- %SYSDIR%\nvrsma.dll
- %SYSDIR%\[Random name]
- %SYSDIR%\yl.po
Files Modified
It modifies the following files:
- %SYSDIR%\user32.dll
- %SYSDIR%\dllcache\user32.dll
Registry
It adds key with the following format:
HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] such as:
- HKEY_LOCAL_MACHINE\SOFTWARE\1
- HKEY_LOCAL_MACHINE\SOFTWARE\6
- HKEY_LOCAL_MACHINE\SOFTWARE\7
- HKEY_LOCAL_MACHINE\SOFTWARE\8
- HKEY_LOCAL_MACHINE\SOFTWARE\9
The following Value/Data pairs are observed:
- HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ccnt" [Number of infection attempts]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "bjpInit_Dlls" "nvrsma"
Modifies registry entries related to popular software (this list is not comprehensive):
- Ad-Aware SE Personal
- Arovax AntiSpyware
- Chilkat Software, Inc.
- ComputerAssociates\eTrustPestPatrol
- McAfee\McAfee AntiSpyware
- McAfee\VirusScan
- Panda Software
- PepiMK Software\SpybotSnD
- SpySweeper
- Symantec\Symantec AntiVirus
- Vba32
- VMware, Inc.
Network
It attempts to make network connections to the following domain:
- hxxp://66.36.241.45/sdb/gate/[Removed]
Symptoms
Method of Infection
It attempts to use brute force with a small list of commonly used passwords in order to gain access to shares if the share is password protected.
Upon successfully gaining access, it copies itself.
Typical entry vector is via removable media, P2P programs, open network shares. However like many worms it could be spammed, uploaded via IM or downloaded or installed via drive by installs.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This file is a worm which attempts to spread by copying itself over Network Shares.
Aliases
- W32.Spamuzle.D (Symantec)
Characteristics
Characteristics -
--Update January 30, 2009--
The below characteristics are unique to some variants:
Files Added
- %SYSDIR%\system32\2rg3.es
- %SYSDIR%\system32\4rr.pa
- %SYSDIR%\system32\celf
- %SYSDIR%\system32\ef3p.ee
- %SYSDIR%\system32\fks.as
- %SYSDIR%\system32\gr1.e
- %SYSDIR%\system32\zred.pa
- %SYSDIR%\system32\dllcache\user32.dll
Registry
The following Value/Data pairs was observed:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "ckpInit_Dlls" "nvaux32"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core "EnableConcurrentSessions" "1"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDPWD "NextInstance" "1"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDTCP "NextInstance" "1"
Network
It attempts to make network connections to the following domains:
- hxxp://[removed]il.ru
- hxxp://Voly[removed]s.com
-- Update December 19, 2008 --
The below characteristics are unique to some variants.
Files Added
Upon execution, this worm drops the following files:
- %SYSDIR%\adj.j
- %SYSDIR%\aston.mt
- %SYSDIR%\devh.e2
- %SYSDIR%\e.spa
- %SYSDIR%\nvaux32.dll
- %SYSDIR%\rdxz.e
- %SYSDIR%\[Random name]
Registry
The following Value/Data pairs are observed:
- HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "st" [Number of infection attempts]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "oupInit_Dlls" "nvaux32"
Network
It attempts to make network connections to the following domain:
- hxxp://92.62.100.92/tpsa/gate/[Removed]
-- Update December 12, 2008 --
With some variants, these additional files have been added:
- %SYSDIR%\System32\aston.mt
- %SYSDIR%\System32\Drivers\atmapi.sys
- %SYSDIR%\System32\fop.e
- %SYSDIR%\System32\kj.je
- %SYSDIR%\System32\nvaux32.dll
- %SYSDIR%\System32\r33.es
- %SYSDIR%\System32\v1.e2
- %SYSDIR%\System32\zed.pa
Files Added
Upon execution, this worm drops a number of files of executable format.
- %SYSDIR%\bmf.cs
- %SYSDIR%\ccs.so
- %SYSDIR%\gh.l
- %SYSDIR%\mn.n
- %SYSDIR%\ntpl.bin
- %SYSDIR%\nvrsma.dll
- %SYSDIR%\[Random name]
- %SYSDIR%\yl.po
Files Modified
It modifies the following files:
- %SYSDIR%\user32.dll
- %SYSDIR%\dllcache\user32.dll
Registry
It adds key with the following format:
HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] such as:
- HKEY_LOCAL_MACHINE\SOFTWARE\1
- HKEY_LOCAL_MACHINE\SOFTWARE\6
- HKEY_LOCAL_MACHINE\SOFTWARE\7
- HKEY_LOCAL_MACHINE\SOFTWARE\8
- HKEY_LOCAL_MACHINE\SOFTWARE\9
The following Value/Data pairs are observed:
- HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ccnt" [Number of infection attempts]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "bjpInit_Dlls" "nvrsma"
Modifies registry entries related to popular software (this list is not comprehensive):
- Ad-Aware SE Personal
- Arovax AntiSpyware
- Chilkat Software, Inc.
- ComputerAssociates\eTrustPestPatrol
- McAfee\McAfee AntiSpyware
- McAfee\VirusScan
- Panda Software
- PepiMK Software\SpybotSnD
- SpySweeper
- Symantec\Symantec AntiVirus
- Vba32
- VMware, Inc.
Network
It attempts to make network connections to the following domain:
- hxxp://66.36.241.45/sdb/gate/[Removed]
Symptoms
Symptoms -
Method of Infection
Method of Infection -
It attempts to use brute force with a small list of commonly used passwords in order to gain access to shares if the share is password protected.
Upon successfully gaining access, it copies itself.
Typical entry vector is via removable media, P2P programs, open network shares. However like many worms it could be spammed, uploaded via IM or downloaded or installed via drive by installs.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A