W32.Mariofev.A

Posted by elise in Blog Latest Spyware News, Latest Spyware Threats, Recent Articles, Worm on February 4th, 2009 | Leave a comment
TAGS: , , ,

What is W32.Mariofev.A?

W32.Mariofev.A is a worm that attempts to spread over the Network Shares by copying itself, usually using the passwords as following:!@#, 1212, 123, 123456, 1313, 666, 777, adm, admin, administrator, administrator, asa, pass, password, qaz, qazxsw, qqq, qwerty, test, zaq, zaqwsx and zzz. To report the infection notification and upload itself, W32.Mariofev.A may contact the remote websites [http://]66.36.241.45/sdb/gate/ and [http://]66.36.241.45/sdb/gate/data.

What is more, W32.Mariofev.A may terminate the registry subkeys that contain the following strings to lower system security configurations:
*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
AllFilesystemObjects\shellex\ContextMenuHandlers\SpySweeper
ALWIL Software\Avast
Arovax AntiSpyware
Chilkat Software, Inc.
ComputerAssociates\eTrustPestPatrol
Doctor Web, Ltd.
FRISK Software International
Grisoft\AVGAntiSpyware
KasperskyLab
McAfee\McAfee AntiSpyware
McAfee\VirusScan
Panda Software
PepiMK Software\SpybotSnD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 6 Personal
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClamAV
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareBlaster_is1
SOFTWIN\BitDefender Desktop\Maintenance\Install
Spyware Begone!
Symantec\Symantec AntiVirus
SYSTEM\ControlSet001\Services\avgntflt
SYSTEM\CurrentControlSet\Services\WinDefend
Ukranian Antivirus center
Vba32
VMware, Inc.
VMware, Inc.\VMware Tools

Do you have W32.Mariofev.A?
If you have enough time and expertise, you can search your computer for W32.Mariofev.A manually. However, it might take hours to find out all files of W32.Mariofev.A, and it is possible that W32.Mariofev.A will appear after rebooting, for its hidden files may still be there.

Download automatic scanner for W32.Mariofev.A
Spyware Cease – the technology-oriented security protection that provides a risk-free computing environment for your home and office – with detection, removal and guard in one intuitive and straight-forward interface. Only Spyware Cease gives you individual fix against the most dangerous spyware problems.

Manual W32.Mariofev.A removal instructions
WARNING: The manually removal method is for advanced users. W32.Mariofev.A manually removal can be difficult and time-consuming. There is no guarantee that W32.Mariofev.A can be completely removed, for there are hundreds of files generated when W32.Mariofev.A installed on your system. Make sure to back up your computer in case that you make any mistakes and your system does not work.

Follow the instructions below for W32.Mariofev.A removal manually:

Navigate and stop the W32.Mariofev.A processes:
N/A

Navigate and delete W32.Mariofev.A files:
%System%\[RANDOM NAME]
%System%\bmf.cs
%System%\ccs.so
%System%\gh.l
%System%\mn.n
%System%\ntpl.bin
%System%\nvrsma.dll
%System%\yl.po
%System%\acl.exe
%System%\MarioForever.exe
%DriveLetter%\MarioForever.exe

Navigate and remove W32.Mariofev.A registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\[NUMBER]\”[34 DIGIT HEX NUMBER]” = “[RANDOM DATA]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\”ztpInit_Dlls” = “nvrsma”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\”ccnt” = “[NUMBER OF INFECTION ATTEMPTS]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\”mid” = “[RANDOM HEX DATA]”

What are the symptoms of W32.Mariofev.A?

  • W32.Mariofev.A may block access to security websites
  • W32.Mariofev.A may make use of software vulnerability
  • W32.Mariofev.A may lead to registry modification

How do I keep away from W32.Mariofev.A
Once you have cleaned up W32.Mariofev.A, the most important point to prevent W32.Mariofev.A and future malicious programs from reverting is to stay suspicious of spam E-mail attachment and unknown websites. Here are several ways in which you can help protect your computer against W32.Mariofev.A and other malware:

  • Use a computer firewall
  • Confirm that you have downloaded all the latest critical security updates
  • Adjust Internet Explorer web browser’s security settings
  • Download and install anti-spyware protection, such as, Spyware Cease
  • Surf sites and download programs from the web sites you trust

What is Worm?
W32.Mariofev.A is a type of Worm.

In a computer, a worm is a self-replicating computer program that does not alter files but resides in active memory. The difference between a computer worm and a computer virus is that a computer virus can not run itself. A virus usually needs a virus program to run, and the virus code also runs as part of the host program. However, a worm does not need a host program to run; it uses a network to spread itself over computers on the network.

The original computer worm was released (maybe accidentally) on the Internet by Robert Tappan Morris in 1988. The Internet Worm used sendmail, fingerd, and rsh/rexec to spread itself across the Internet.

The SQL Slammer Worm of 2003 used a vulnerability in Microsoft SQL Server 2000 to spread itself across the Internet. The Blaster Worm, also of 2003, used a vulnerability in Microsoft DCOM RPC to spread itself.

The Melissa worm of 1999, the Sobig worms of 2003 and the Mydoom worm of 2004, all spread through e-mail. These worms shared some features of a trojan horse, in that they spread by enticing a user to open an infected e-mail attachment.

Mydoom also attempted to spread itself through the peer-to-peer file sharing application KaZaA. The Mydoom worms attempted a Denial of Service (DoS) attack against SCO and Microsoft.