Background information

Mario Forever contains crypto malware – my quest for a clean version

28.6.2023

Translation: Jessica Johnson-Ferguson

The Super Mario game Mario Forever allegedly contains malware. It will turn your Windows PC into a crypto-mining station. And steal other data, too. Still, I want to play this game. But how? I set off on my quest.

Security experts from Cyble have detected malware in Super Mario 3: Mario Forever. Or rather in a manipulated type of version 702e. It’s about three years old and also the latest version of the game.

Softendo is the software’s official distributor
Source: Florian Bodoky

Mario Forever was originally developed by Buziol Games in 2003. So it wasn’t made by Nintendo. Rather, it’s an homage to Super Mario Bros. 3 on the NES. Several original game elements were included to give players that NES feeling. The free game has been downloaded and played millions of times. I also want to play it. Just minus the malware. So how do I go about this?

Where did the contaminated version come from?

Cyble assumes it was distributed via gaming forums, social media groups or malvertising in general. The installer’s called «super-mario-forever7092e.exe». The file also contains the malware. Of course, it’s not called «EvilMalware.exe», but has an unsuspicious name that fits the game.

As a general rule, you should be cautious when downloading files. A version of 702e that’s been tampered with has now been discovered. This doesn’t mean all other versions of the game are free from malware. The game’s available for download on dozens of forums as well as from third-party suppliers. Even if you search for the game on Google, the software may be compromised.

What does the malware do?

Cyble’s detected malicious software in the game installer package. One of them is the programme SupremeBot – a mining client that mines for the cryptocurrency Monero on infected computers. The tool connects to the mining server and transfers the coins to it. This mining process requires a lot of resources. So if your system load is huge for no reason, this could be an indicator.

The malware drives up CPU usage.
Source: Florian Bodoky

The tool’s clever. First, it duplicates itself. After that, the copy hides in the Windows App Data folder, where it becomes hard to detect. The original deletes itself. After that, SupremeBot runs every 15 minutes. It uses a different, inconspicuous process name every time. By doing so, the malware is hiding both from you and any protection programs you might have. Last but not least, a malware called Umbral follows suit. This so-called stealer will fly under your Windows Defender’s radar under certain circumstances. This is because the process is smuggled into Defender’s list of exceptions by the SupremeBot. Currently, it’s still unclear which virus scanners detect the file and which don’t.

This program steals data from your PC. It also provides SupremeBot information about your cryptowallets. According to Cyble, the malware can take screenshots, record webcam images and extract passwords and cookies from the browser. Even Discord tokens and Telegram login credentials aren’t safe from being tapped into.

Moreover, the malware’s capable of modifying the host file. This can prevent access to certain antivirus websites. It simply redirects the domain name to IP 0.0.0.0.

Am I affected?

It remains unclear how the malware-spiked game versions have been circulating. As is how many versions of them are out there. Or which channels they’re being offered on. The game’s old and available for free, so there are many third-party providers.

To find out if you’ve installed an infected version, follow these steps:

Check if the installer produced any additional .EXE files or shortcuts after it was run. Be sure to delete these.
Have you executed all these EXE files? Then check your CPU load. Is it unusually high? In that case it’s possible your PC is mining. This means you need to look for suspicious processes.
Check your Appdata folder (C:\Users\Username\Appdata). Sort the files by date and see if a file was slipped in at the time you installed the game. Can you spot any of the following three files: Java.exe, Atom.exe or wime.exe? That’s bad news. Delete it.

And remember to keep Windows and your virus scanner up to date.

I’ve been infected! What should I do?

If Umbral is detected by your virus scanner, you should delete it (your virus scanner will give you this option). As it grabs data from your browser, you should change passwords you use to access services. At least, if you’ve saved them in your browser. Also make sure to change access data to Discord or Telegram. The same applies if you get a notification from your firewall. If you see that attempts were made to connect to C2 servers called «shadowlegion» or «silent legion», your alarm bells should be going off. C2 stands for Command-and-Control-Infrastructure – a collection of tools an infected device uses to communicate with the platform from which the attack was launched. If the malware on your computer needs additional software, it will download it this way.

Where can I get the game minus the nasty surprise?

As mentioned earlier, the latest version of the game’s already three years old and hasn’t been worked on since then. A manipulated variant of this exact version was found on the net. Sure, shady forums and social media groups aren’t your most reliable sources. That’s why I want to present you with a safe source. To find one, I set up a virtual machine, install Windows 11 and get Super Mario 3: Mario Forever. I download it from the website of the distributor Softendo.

Neither Softendo nor Buziol Games are listed as publishers. Despite the official download.
Source: Florian Bodoky

I start the setup and Windows asks me if I really want to install an app from an unknown publisher. Indeed, neither Softendo nor Buziol Games are showing up. But this does happen occasionally with older software. Still, this doesn’t exactly inspire confidence.

The setup ends and generates a shortcut on my desktop. I wasn’t asked. I double-click and a window opens. There’s a Play Game button, but also one that strongly recommends downloading others. I want to play and select a gaming style (OLD TV NES). The game doesn’t start. Instead, another start screen appears. There’s a Start Game button, and yet another recommendation for a different Mario fan game. I start the game. The level begins.

Although I really want to play, the software still tries to push other downloads several times. That’s annoying.
Source: Florian Bodoky

The game’s sluggish and buggy. It reminds me of my first attempts at Java when I was still an apprentice. My commands are either not executed or delayed. This could be down to my lacking talent. But even after three tries, I fail to complete the level.

The gaming fun is meh.
Source: Florian Bodoky

The fan on my 2021 laptop sounds like a helicopter. A look at the Task Manager reveals that the Softendo program is a real CPU hog. I close the task and the game. Then I discover a second shortcut on my desktop. One that wasn’t there after the setup was completed. Strange.

Who might you be? A second shortcut shows up on my desktop.
Source: Florian Bodoky

I upload the EXE file of the game to Virustotal.com. Virustotal is a free online service that scans programs on demand with dozens of virus scanners. Ta-da, a dropper’s crept in. Droppers «help» spread and install malware. So-called non-persistent droppers can even remove themselves after the malware’s been installed. Persistent droppers clone themselves and hide. Antivirus programs can also be blocked and signatures bypassed. In short, a dropper isn’t something you want on your system.

Virustotal finds a dropper.
Source: Florian Bodoky

I delete the entire virtual machine.

My verdict

Unfortunately, my current conclusion is: give Mario Forever a miss. If the official distributor website even has versions that include droppers, you’re playing Russian roulette. Your changes of winning? Not great. If you have a Nintendo Switch and a Nintendo Switch Online subscription, dozens of classics are available to you for free anyway. They’re more fun and not as buggy.

18 people like this article

Florian Bodoky

Editor

Florian.Bodoky@digitecgalaxus.ch

I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue.

Background information

Interesting facts about products, behind-the-scenes looks at manufacturers and deep-dives on interesting people.

Show all

These articles might also interest you

Background information
I tried out Donkey Kong Bananza, Nintendo’s next major Switch game
by Domagoj Belancic
Background information
Preview: Sonic Racing Crossworlds impresses with its crazy teleportation and karts
by Domagoj Belancic
Background information
Is Pokémon Legends Z-A the best Pokémon game we’ve seen in ages?
by Domagoj Belancic

2 comments

later

Your data. Your choice.

Search

Mario Forever contains crypto malware – my quest for a clean version

Where did the contaminated version come from?

What does the malware do?

Am I affected?

I’ve been infected! What should I do?

Where can I get the game minus the nasty surprise?

My verdict

These articles might also interest you

I tried out Donkey Kong Bananza, Nintendo’s next major Switch game

Preview: Sonic Racing Crossworlds impresses with its crazy teleportation and karts

Is Pokémon Legends Z-A the best Pokémon game we’ve seen in ages?

2 comments

Top 10 categories

Go to

2 comments

Galaxus Deal of the day