Select Page

Here we have a website claiming you can “Play Super Mario Online”, complete with looped Youtube video and a large “Start Here” button at the bottom of the page.

playmario4free(dot)com/networks/vc/index(dot)html

As you’re about to see, The Princess is most definitely in another Castle.

Click to Enlarge

Hitting the “Start Here” button downloads a file called “SuperMario.exe”. However, this isn’t so much “It’s a me, Mario” as it is “It’s a me, a bunch of other stuff instead”.

During testing, we saw the following installer prompt:

Click to Enlarge

As you can see, this is an installer for something called “StartNow”, a Toolbar from Zugo. Readers will recall a mention of their toolbars in this writeup, described as a  “Bing-powered search toolbar toolbar with a history of installs performed through exploits and other misleading/deceptive means”. What’s particularly interesting here though is what happens should you hit the “Decline” button – StartNow goes away, but something called “Web Essentials” from Quantrologic is installed silently instead (you can see more about them in a fake codec writeup by Paretologic).

Click to Enlarge

We’re still looking at it, but the “competitor killer” file has a rather interesting name – especially if you remember these antics from 2004/05.  Here’s an example of adverts appearing on Facebook with this installed:

Click to Enlarge

We informed Zugo about this bundle, and they reported to us that they were in the process of identifying and terminating the affiliate responsible. At time of writing, our US based researchers confirm Zugo is still appearing in testing, whereas other regions end up with something altogether different. For example, this one is from the UK – say hello to “FaceTheme”:

Click to Enlarge

Unfortunately, you’ll still end up with a silent Web Essentials install should you hit “Decline”:

Click to Enlarge
We detect SuperMario.exe as Trojan.Win32.Generic!BT, and VirusTotal scores are currently at 9/42.

Christopher Boyd (Thanks to Matthew for finding this one)

Update 1: Matthew performed some additional analysis on the competitor_killer.exe. Here’s a list of the apps it targets (based on strings found in the file) – notice FaceTheme is listed, even though it is appearing in installs alongside Web Essentials above…

FBLayouts
GamePlayLabs
Yontoo/PageRage
FaceTheme
Cartoonly


Fatal error: Uncaught wfWAFStorageFileException: Unable to save temporary file for atomic writing. in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:34 Stack trace: #0 /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php(658): wfWAFStorageFile::atomicFilePutContents('/home/eckelberr...', '<?php exit('Acc...') #1 [internal function]: wfWAFStorageFile->saveConfig('livewaf') #2 {main} thrown in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 34