Virus plays on Nintendo Mario game nostalgia

July 30, 2007 Sophos Press Release

IT security and control firm Sophos is warning of a new mass-mailing worm that is capitalising on users' enthusiasm for Nintendo's iconic character, Mario. Once they open the email, recipients are requested to click on an attachment that promises to run one of the classic Super Mario Bros games.

Emails sent by the worm use the following text in the message body:

Hi There, Do You Like Mario Bross ? Test it, and you'll like it ;] !

Attached to the emails is a file containing the Romario-A worm, which in addition to launching a game starring the portly Italian plumber, also attempts to infect other unprotected computers via mass-mailing itself as a file attachment, as well as spreading via removable shared drives.

The worm plays a classic Super Mario Bros game
The worm plays a classic Super Mario Bros game.

Sophos experts note that Romario-A aims to cause maximum impact by scheduling a daily task to ensure the worm runs regularly at a specified time.

"Fraudsters are constantly innovating to find new ways of tapping into users' psyches to tempt them into clicking on infected links and attachments," said Graham Cluley, senior technology consultant at Sophos. "Nintendo's resurgence in the games market with the Wii console and Mario's global retro appeal are factors playing directly into the hands of cybercriminals keen to dupe users. This kind of attack is particularly stealth-like because nostalgic gamers can actually play the game once they click, giving them no reason to suspect that something more sinister is lurking beneath."

Romario-A is the latest in a series of malware that purports to be computer games or to actually run real games. This trick has been employed many times in the past by malware authors, notably, the W32/Bagle-U worm, which attempts to start the Microsoft Hearts game, the W32/Coconut-A virus, which urged infected users to throw coconuts at pictures of a computer security expert and the Troj/Gonori-A Trojan, which plays Minesweeper when run.

The worm is also set to run when files with extensions of BAT, COM, PIF and SCR are opened or launched.

Sophos customers have been protected against the Romario worm since 04:40 GMT on 30 July 2007.

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution to defend against malware, spyware, hackers and spam.