Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

W32.Delezium/Impair.A virus being seen

Published: 2008-12-15
Last Updated: 2008-12-15 20:40:10 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

We've gotten reports that the W32.Delezium (from Symantec)/Impair.A (from Sophos) virus is floating around and being a general pain in the neck. The detection from Symantec (as "W32.Delezium/inf") only catches infected files, not the virus itself.

The Symantec report is more detailed than the Sophos report, there are some contradictions between the two on how the virus is spreading. The virus is a standard file infector but will also insert a registry entry to enable it to run every startup.

From the Symantec report-

"Next, the virus searches all local, removable and network drives for files with the following extensions, which it subsequently deletes:

  • .3dx
  • .3gp
  • .app
  • .as
  • .asp
  • .aspx
  • .avi
  • .cad
  • .css
  • .doc
  • .fla
  • .frm
  • .gif
  • .jar
  • .java
  • .jpg
  • .jsp
  • .mdb
  • .mp3
  • .mpg
  • .pdf
  • .ppt
  • .psd
  • .rar
  • .sis
  • .vb
  • .wmv
  • .xls
  • .zip

The virus then searches all removable drives for .exe files, which it then infects."

Keywords:
0 comment(s)
Diary Archives