E-mails sent by the worm use the following text in the message body:
Hi There, Do You Like Mario Bross ? Test it, and you'll like it ;]!
Attached to the e-mails is a file containing the Romario-A worm, which in addition to launching a game starring the portly Italian plumber, also attempts to infect other unprotected computers via mass-mailing itself as a file attachment, as well as spreading via removable shared drives.
Experts note that Romario-A aims to cause maximum impact by scheduling a daily task to ensure the worm runs regularly at a specified time.
"Fraudsters are constantly innovating to find new ways of tapping into users' psyches to tempt them into clicking on infected links and attachments," said Graham Cluley, senior technology consultant at Sophos. "Nintendo's resurgence in the games market with the Wii console and Mario's global retro appeal are factors playing directly into the hands of cyber criminals keen to dupe users. This kind of attack is particularly stealth-like because nostalgic gamers can actually play the game once they click, giving them no reason to suspect that something more sinister is lurking beneath."
Romario-A is the latest in a series of malware that purports to be computer games or to actually run real games. This trick has been employed many times in the past by malware authors, notably, the W32/Bagle-U worm, which attempts to start the Microsoft Hearts game, the W32/Coconut-A virus, which urged infected users to throw coconuts at pictures of a computer security expert and the Troj/Gonori-A Trojan, which plays Minesweeper when run.
The worm is also set to run when files with extensions of BAT, COM, PIF and SCR are opened or launched.
