But it also executes its sinister payload. The worm mass-mails itself to other individuals as well as attempts to infect removable drives and network shares. It also schedules a task to reload itself every day at a given time as well as on Windows startup. On top of this, it runs whenever a program with the extension BAT, COM, PIF, SCR, LNK, MOV, MPEG, or VBS are run. The program copies itself into several locations on the user's hard drive using various game and other application names and also hides its files. Finally, it disables System Restore and tampers with the Safe Boot mechanism.
Though not the first worm to use a game to entice players into running it, Romario is especially devious due to the universal appeal of Mario. The worm is currently detected in the latest versions of Aladdin, Ikarus, Kaspersky, Sophos, Fortinet, BitDefender, Virus Buster, and McAfee.
