Stupid Mario Bluster

I’ve been following the MarioF worm family for some time now. Until recently, it had a unique method of running itself when the computer boots. The worm made a subtle patch to user32.dll. It is easy to miss that patch unless you know exactly what to look for. Incidentally, we detect the patched files as Troj/User32Hk-A.

Perhaps this method has become too recognizable and the authors have decided to take a different approach to starting up. It has recently become parasitic.

It now writes its own code into Windows OS files such as explorer.exe and ctfmon.exe. When the computer boots, these files are run automatically. The infected files decrypt a MarioF library and run it before passing control back to the host. All this is typical virus behavior.

Only in the world of malware does a worm evolve into a virus.

Posted on April 2nd, 2009 by fnh, SophosLabs CA
Filed under: Malware

Windows 7 security - A great leap forward or business as usual?

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog

Related posts

About SophosLabs

Subscribe

Hot video

Recent posts

Categories

Archives

Sophos blogs

In this section

SophosLabs blog