WARNING CS.EXE is INFECTED w/ DELWIN.1759 Virus

Joe Boucher BoucherJC at lmtas.lmco.com
Fri Mar 6 16:27:38 GMT 1998


NAME:
                               Delwin
                      ALIAS:
                               Windel
                      TYPE:
                               Stealth MBR Boot Resident EXE
                               -files
                      SIZE:
                               1759
                      ORIGIN:
                               Denmark

                      Delwin was found from Denmark in Spring 1995. It
infects
                      the MBR of the hard drive as well as all accessed
EXE
                      files. Delwin is a fast infector.

                      Delwin is also a full stealth virus, hiding all the
changes to
                      boot sectors and EXE files as long as it is
resident.

                      The virus is encrypted and contains the text
"DELWIN".
                      Delwin activates when WIN.COM is executed. After
this, it
                      will modify the 'check-dos-version' service to
always report
                      v2.10. This will prevent many programs from being
                      executed. Otherwise the virus is harmless.

                      Delwin.1759 got widespread circulation in May 1996
                      when an infected copy of the full version of 'Duke
Nukem
                      3D' game was distributed via pirate systems.

                      There is also another variant, 1199 bytes in length.

                      [Analysis: Mikko Hypponen, Data Fellows]




More information about the Diy_efi mailing list