Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: W32.Delezium/Impair.A virus being seen - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
W32.Delezium/Impair.A virus being seen

We've gotten reports that the W32.Delezium (from Symantec)/Impair.A (from Sophos) virus is floating around and being a general pain in the neck. The detection from Symantec (as "W32.Delezium/inf") only catches infected files, not the virus itself.

The Symantec report is more detailed than the Sophos report, there are some contradictions between the two on how the virus is spreading. The virus is a standard file infector but will also insert a registry entry to enable it to run every startup.

From the Symantec report-

"Next, the virus searches all local, removable and network drives for files with the following extensions, which it subsequently deletes:

  • .3dx
  • .3gp
  • .app
  • .as
  • .asp
  • .aspx
  • .avi
  • .cad
  • .css
  • .doc
  • .fla
  • .frm
  • .gif
  • .jar
  • .java
  • .jpg
  • .jsp
  • .mdb
  • .mp3
  • .mpg
  • .pdf
  • .ppt
  • .psd
  • .rar
  • .sis
  • .vb
  • .wmv
  • .xls
  • .zip

The virus then searches all removable drives for .exe files, which it then infects."

Toby

68 Posts

Sign Up for Free or Log In to start participating in the conversation!