Hiding behind a freeware Mario clone, the worm employs several tactics to mass-mail itself to other victims.
A new worm was discovered recently, which security vendors have named Romario. Romario infects Windows by sending itself through Microsoft Outlook e-mail with the message "Hi There, Do You Like Mario Bross ? Test it, and you'll like it ;] !" while using the subject line from a previous legitimate e-mail. If the attached program is launched, it will run a version of Mike Wiering's 13-year-old Mario clone.
But it also executes its sinister payload. The worm mass-mails itself to other individuals as well as attempts to infect removable drives and network shares. It also schedules a task to reload itself every day at a given time as well as on Windows startup. On top of this, it runs whenever a program with the extension BAT, COM, PIF, SCR, LNK, MOV, MPEG, or VBS are run. The program copies itself into several locations on the user's hard drive using various game and other application names and also hides its files. Finally, it disables System Restore and tampers with the Safe Boot mechanism.
Though not the first worm to use a game to entice players into running it, Romario is especially devious due to the universal appeal of Mario. The worm is currently detected in the latest versions of Aladdin, Ikarus, Kaspersky, Sophos, Fortinet, BitDefender, Virus Buster, and McAfee.