Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
W32.Delezium/Impair.A virus being seen

We've gotten reports that the W32.Delezium (from Symantec)/Impair.A (from Sophos) virus is floating around and being a general pain in the neck. The detection from Symantec (as "W32.Delezium/inf") only catches infected files, not the virus itself.

The Symantec report is more detailed than the Sophos report, there are some contradictions between the two on how the virus is spreading. The virus is a standard file infector but will also insert a registry entry to enable it to run every startup.

From the Symantec report-

"Next, the virus searches all local, removable and network drives for files with the following extensions, which it subsequently deletes:

  • .3dx
  • .3gp
  • .app
  • .as
  • .asp
  • .aspx
  • .avi
  • .cad
  • .css
  • .doc
  • .fla
  • .frm
  • .gif
  • .jar
  • .java
  • .jpg
  • .jsp
  • .mdb
  • .mp3
  • .mpg
  • .pdf
  • .ppt
  • .psd
  • .rar
  • .sis
  • .vb
  • .wmv
  • .xls
  • .zip

The virus then searches all removable drives for .exe files, which it then infects."


68 Posts
Dec 15th 2008

Sign Up for Free or Log In to start participating in the conversation!