MarioForever Detection Issue With FCS

On or about December 9th, Microsoft Malware Protection Center included new information in the FCS definitions to ‘clean' the file ‘user32.dll' in the system32 and system32\dllcache folders which may have been modified at some earlier time by the Marioforever malware.  Most of these infections occurred in May/June 2008.  In those cases, signature updates were provided to quarantine/remove the actual malicious code (executables) from affected machines.  However, the malware also modified part of the user32.dll file (a core Windows file) which will now be successfully restored by FCS.

 A side effect of this is that FCS may now detect certain components which it may not have detected previously, though the malware has been disabled since it was originally detected.

Important things to note:

  • This is only applicable to FCS customers who were previously exposed to the Marioforever malware, and then subsequently cleaned.
  • This is nota re-infection.



Security Technical Lead