Follow:

You have been re-routed to the Trojan:Win32/Mariofev.B write up because Trojan%3aWin32%2fMariofev.B has been renamed to Trojan:Win32/Mariofev.B
 

Trojan:Win32/Mariofev.B


Trojan:Win32/Mariofev.B is a generic detection for a malicious DLL file that is used to inject and execute a malicious payload within other running applications or processes.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Mariofev.B is a generic detection for a malicious DLL file that is used to inject and execute a malicious payload within other running applications or processes.
Installation
Trojan:Win32/Mariofev.B is installed by other malware. In one in-the-wild example, this trojan is installed as a file named "ntcore.dll" in the Windows system folder by a trojan dropper detected as Trojan:Win32/Meredrop
 
When run, Trojan:Win32/Mariofev.B unpacks several payloads and writes encrypted component files as in the following examples:
 
<system folder>\a.dll
<system folder>\d.dll
<system folder>\n.dll
<system folder>\o.dll
<system folder>\p.dll
 
These files are decrypted in memory and injected into other running processes. The payload varies but are usually designed to alter the behavior of the affected processes.
Payload
Downloads arbitrary files
The trojan may contact remote servers such as "pilleboats.com" to download arbitrary files that may be detected as other malware.
 
Analysis by Jireh Sanico

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.89.924.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Sep 03, 2010
This entry was first published on: Mar 07, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Nineball.origin (Dr.Web)
  • Worm.Win32.Mariofev (Ikarus)
  • Trojan-Downloader.Win32.Agent.evtr (Kaspersky)
  • W32/MarioF-B (Sophos)
  • W32.Spamuzle (Symantec)
  • Tatanga (other)