W32.Deledsig.A


Aliases: Win32/Viking.MW, W32/HLLP.Philis, Worm.Win32.Viking.ma, Worm.Win32.Viking.ma, Worm.Viking!sd6
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Some parts in Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 14 Sep 2007
Damage: Low

Characteristics: W32.Deledsig.A is a virus that spreads infections in all executable files. It also changes the size of files with particular extensions namely the .mc9, .mc8, .prt, .pfm and .igs. Its infection length is 160, 768 bytes.

More details about W32.Deledsig.A

This virus first appeared in China on September 14, 2007. It allegedly can create copies of itself. Once it has entered the system, it will use its resources to infect other computers. It may be sent to the user in an e-mail or instant message. The user may also download it from peer-to-peer (P2P) file sharing networks. Since this virus infects Windows systems removal files, it creates the %Temp%\Updata.exe file. Then it creates five registry entries.. After the creation of these entries, the virus will then infect all .exe files stored on the computer. Although, .exe files that have the following path names are excluded: WINDOWS, WINNT, Program Files, Mcam9 and Mcam8. Then, the virus will change the sizes of the following files into zero bytes: .mc9, .mc8, .prt, .pfm and .igs. Therefore, infection occurs successfully.

Based on some studies, infected files may also be placed in shared network resources. Users may be tricked into granting the infected file access to the system. It may be labeled as a popular download, media file or cracked retail software. It may also be spread via removable memory devices such as CDs and flash disks. This virus infects most Windows operating systems. The components it uses are typically named after core system processes. These files may be located in more than one file path. This allows the worm program to re-spawn even when some of its executable files have been removed. Processes are also added as values to the system registry. This allows the worm program to run once the system is started. The registry entries also allow the software to access system resources.