Worm:Win32/Mariofev.A

Worm:Win32/Mariofev.A is a worm that spreads via network shares and removable drives. It deletes registry keys and entries related to antivirus and security applications, has backdoor functionalities, and may steal information sent over the network.

Worm:Win32/Mariofev.A may arrive in the system as a dropped DLL component of TrojanDropper:Win32/Mariofev.A or another executable file. It is usually installed as the following:

 

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.

 

Upon execution, it creates the following files:

 

It modifies the following files so that it is loaded every time these files are used by an executable:

 

Note that user32.dll is a legitimate Windows file. The original copy is saved by this worm in the Windows system folder with a random file name. These modified files are detected as Virus:Win32/Mariofev.A.

 

It checks for the existence of the following registry key:

 

If found, it does not infect the system.

 

It then creates the following registry key as an infection marker:

For example:
HKLM\Software\1
HKLM\Software\7

 

It also creates the following registry entry so that it is loaded every time user32.dll is used by an executable:

 

Adds value: "<2 random letters>pInit_Dlls"
With data: "<malware file name>"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows

 

For example:
Adds value: "nqpInit_Dlls"
With data: "nvrsul32"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows

Worm:Win32/Mariofev.A attempts to spread by copying its dropper, the file detected as TrojanDropper:Win32/Mariofev.A, into removable drives as the file game.exe. The trojan dropper, in turn, drops this worm, thus resulting in a propagation routine.

 

Worm:Win32/Mariofev.A also drops an autorun.inf file along with the trojan dropper, which enables the trojan dropper to automatically run when the drive is accessed and Autoplay is enabled.

 

Worm:Win32/Mariofev.A attempts to spread via nework shares by using the following username and passwords to connect to systems:

 

00
0
1
11
13
123
666
777
1212
1313
123456
admin
adm
administrator
asa
password
pass
qaz
qazxsw
qqq
qwerty
test
zaqwsx
zaq
zzz

Worm:Win32/Mariofev.A attempts to delete registry keys with the following string, which are related to antivirus and security applications:

 

*\shellex\ContextMenuHandlers\NOD32Context Menu Shell Extension
ALWIL Software\Avast
AllFilesystemObjects\shellex\ContextMenuHandlers\SpySweeper
Arovax AntiSpyware
Chilkat Software, Inc
ComputerAssociates\eTrustPestPatrol
Doctor Web, Ltd.
FRISK Software International
Grisoft\AVGAntiSpyware
KasperskyLab
McAfee\McAfee AntiSpyware
McAfee\VirusScan
Panda Software
PepiMK Software\SpybotSnD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 6 Personal
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClamAV
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareBlaster_is1
SOFTWIN\BitDefender Desktop\Maintenance\Install
SYSTEM\ControlSet001\Services\avgntflt
SYSTEM\CurrentControlSet\Services\WinDefend.sf_vmware
Spyware Begone!
Symantec\Symantec AntiVirus
VMware, Inc.\VMware Tools
Vba32

 

Win32/Mariofev.A connects to sites within the IP address 200.63.46.49.

 

Win32/Mariofev.A may also provide the following backdoor functionalities:

 

This worm also steals information sent over the network, such as email addresses, by intercepting port communication.