Delwin Virus


 Virus Name:  Delwin 
 Aliases:     Delwin.1759 
 V Status:    In the wild 
 Discovered:  July, 1996 
 Symptoms:    .EXE file growth; file date/time seconds = "62"; 
              decrease in total system & available free memory; 
              master boot sector altered 
 Origin:      Unknown 
 Eff Length:  1,759 Bytes 
 Type Code:   PRtEX - Parasitic Resident .EXE & Master Boot Sector Infector 
 Detection Method:  F-Prot, AVTK 7.61+, IBMAV, ViruScan 2.51+, PCScan 5.02+, 
                    NAV 3.09 9608+, NAVBoot 0.A 9608+, ChAV, 
                    Innoc 4.0+, NProt, AVTK/N 7.61+, IBMAV/N, LProt, 
                    NShld 2.32 9607+, NAV/N 2.0 9607+ 
 Removal Instructions:  Delete infected programs & Replace MBR 
 
 General Comments: 
       The Delwin virus was received in July, 1996, and has been reported 
       to be "in the wild".  Its origin or point of isolation is unknown. 
       Delwin is a stealth, multi-partite virus which infects the hard 
       disk master boot sector and .EXE files. 
 
       The first time a program infected with the Delwin virus is executed, 
       this virus will infect the system hard disk master boot record.  It 
       does not become memory resident or infect .EXE files at this time. 
 
       Later, when the system user boots the computer from the system 
       hard disk, Delwin will become memory resident, moving interrupt 12's 
       return.  Total system and available free memory, as indicated by 
       the DOS CHKDSK program from DOS 5.0, will have decreased by 2,048 
       bytes.  Interrupts 13, 1C and 21 will be hooked by the virus 
       in memory. 
 
       Once this virus is memory resident, it will infect .EXE files when 
       they are executed or opened.  Infected .EXE files will have a file 
       length increase of 1,759 bytes, though this file length increase 
       will be hidden when the virus is memory resident.  The virus will 
       be located at the end of the file.  The program's date and time 
       in the DOS disk directory listing will not appear to be altered, 
       though the seconds field will have been set to "62".  The following 
       text string is encrypted within the viral code: 
 
           "DELWIN" 
 
       The Delwin virus is a full stealth virus, disinfecting programs 
       as they are read into memory.  As a result, if anti-viral programs 
       are executed with the virus memory resident, they may not detect 
       changes in infected programs if they are unaware of the virus in 
       memory.  If you suspect you have this virus, be sure to boot from 
       a known clean system disk before executing anti-viral programs.

Show viruses from discovered during that infect .

Main Page