WORM/DELF.FPV - new worm??

[TheITDude]

We noticed strange behavior on our systems - like the date changing back to
2007, and other strange things.

Our 'wonderful' Symantec Corporate edition does not detect anything, but I
loaded the AVG Free A/V and it found the WORM/DELF.FPV . I can't find any
info on this.

The symptoms are the hidden files autorun.inf and io,pif in root dirs and in
file shares. Also the files SERVICES.EXE in Common Files\Services tree.

I'm going to submit it to Symantec now, because the only cure I know is to
install the AVG server trial on ALL my servers and PC's to prevent
reinfection until Symantec addresses it.

Anybody else seen this or removed it an easier way?

 

[wai]

We are having the same problem. We have been unable to log a case with Symantec and have been using AVG to remove it. Please let me know if you hear any repsonse from them.

 

[Tom]

wai wrote:
> We are having the same problem. We have been unable to log a case with
> Symantec and have been using AVG to remove it. Please let me know if
> you hear any repsonse from them.
>
>
I have a nickel I'll bet that you get the same response from Symantec
that I got from McAfee when I reported a similar issue. "You caused the
problem yourself by having AVG and Symantec products installed on the
same system." When I told McAfee of registry changes that had been made
on my system by some malware they missed, and I was only able to find &
remove it with SpyBot S&D, the reply was that I caused the problem by
installing SpyBot. When I asked them how a program sitting in a file,
but NOT RUNNING could mess up McAfee's products, all they did was repeat
the same BS.
Good luck getting an answer.

 

[David H. Lipman]

From: "TheITDude" <TheITDude@discussions.microsoft.com>

| We noticed strange behavior on our systems - like the date changing back to
| 2007, and other strange things.
|
| Our 'wonderful' Symantec Corporate edition does not detect anything, but I
| loaded the AVG Free A/V and it found the WORM/DELF.FPV . I can't find any
| info on this.
|
| The symptoms are the hidden files autorun.inf and io,pif in root dirs and in
| file shares. Also the files SERVICES.EXE in Common Files\Services tree.
|
| I'm going to submit it to Symantec now, because the only cure I know is to
| install the AVG server trial on ALL my servers and PC's to prevent
| reinfection until Symantec addresses it.
|
| Anybody else seen this or removed it an easier way?
|

Please submit a copy of C:\Program Files\Common Files\Services\services.exe to Virus Total.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

** When you get the report, please post back the exact results.

If you can, please send me a copy of services.exe via email in a password protected ZIP file
with the password being infected
{ password = infected }
Just remove ~nospam~ from my posted email address.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[wai]

We worked with Symantec all week and they now have a fix for this. It was just relaeased as a rapid release. It was released about an hour ago 01/18/2008 1:45 PM EST:

Virus definition detail:

Sequence Number: 77632 (or higher)
Defs Version: 100118t
Extended Version: 01/18/2008 rev.20