W32/Mariofev.worm
This file is a worm which attempts to spread by copying itself over Network Shares.
It throws a LDP brute force password crack attempt on the logged-in user using common passwords
Registry
The following Value/Data pairs are observed:
● HKEY_LOCAL_MACHINE\SOFTWARE\[Numeric Value] [Random Number] [Random Data
● HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "st" [Number of infection attempts
● HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid" [Random Hex Number
● HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "oupInit_Dlls" "nvaux32"
- On the offending workstations/servers, the startup type and configuration of the "Automatic Updates" and "Background Intelligent Transfer Service" services are incorrect. (Automatic Updates should be set to Automatic, and BITS should be set to Manual on XP/2003)
Network
It attempts to make network connections to the following domain:
● hxxp://66.36.241.45/sdb/gate/[Removed
Impact created: • Accounts getting locked out repeatedly event 539 initiating from different work stations.• Bits and windows update Services are disabled.• Security websites not accessible.
Workaround: • Solution run the GMER tool which Identifies and cleans the tool• http://www.gmer.net/gmer.zip (Download the tool from this location)• Reboot the machine and machine will become normal.
Permanent Fix: • All the Antivirus vendors are working on to get a Signature for this Virus including Microsoft, Symantec, MacAfee, Trend etc.. This is an update from the PSS-Security team. Please ensure we have MS08-067 update installed after removing the malware.
Leave a comment