Content
W32/Induc
- Type
- Virus
- SubType
- Win32
- Discovery Date
- 08/18/2009
- Length
- Minimum DAT
- 5713 (08/18/2009)
- Updated DAT
- 5805 (11/17/2009)
- Minimum Engine
- 5.2.00
- Description Added
- 08/18/2009
- Description Modified
- 08/20/2009 2:16 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update August 19, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/08/19/delphi_malware/
--
- The virus copies the malicious code in to SysConst.pas file which is present in the \Lib.
- It renames the existing SysConst.dcu to SysConst.bak.
- A new SysConst.dcu file is created by compiling the malicious SysConst.pas.
- The original SysConst.pas file is then deleted.
The above said infection happens in the Delphi versions 4.0, 5.0, 6.0 and 7.0
Symptoms
Presence of the file SysConst.bak in \Lib folder.
Any file compiled in the infected Delphi compiler will also carry the viral code in it. The viral code will look like the one below.
This virus does not have a malicious payload.
Method of Infection
W32/Induc spreads by inserting the malicious code in to the files compiled using the infected library of the Delphi.
Manual Removal:
- Run a full system scan to detect and quarantine the W32/Induc infected files.
- Delete the SysConst.dcu file from the \Lib where the Delphi compiler is installed.
- Rename the SysConst.bak file present in the \Lib to Sysconst.dcu
Removal
All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.
Variants
Variants
N/A
All Information
Overview -
-- Update August 19, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/08/19/delphi_malware/
--
W32/Induc is a virus that adds its malicious code in to the Delphi library files thus adding itself to the compilation process. Any file compiled with the infected Delphi compiler will also be infected.
Many customers feel they have got a false since the file they compile on their own is now detected . The reason being a virus, which was compiled with the binary itself. Also this threat has been going on for almost an year unnoticed so the customers will submit the files which are not changed from over an year and are homegrown or on CD or from reliable source thinking it is a false positive.
Characteristics
Characteristics -
-- Update August 19, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/08/19/delphi_malware/
--
- The virus copies the malicious code in to SysConst.pas file which is present in the \Lib.
- It renames the existing SysConst.dcu to SysConst.bak.
- A new SysConst.dcu file is created by compiling the malicious SysConst.pas.
- The original SysConst.pas file is then deleted.
The above said infection happens in the Delphi versions 4.0, 5.0, 6.0 and 7.0
Symptoms
Symptoms -
Presence of the file SysConst.bak in \Lib folder.
Any file compiled in the infected Delphi compiler will also carry the viral code in it. The viral code will look like the one below.
This virus does not have a malicious payload.
Method of Infection
Method of Infection -
W32/Induc spreads by inserting the malicious code in to the files compiled using the infected library of the Delphi.
Manual Removal:
- Run a full system scan to detect and quarantine the W32/Induc infected files.
- Delete the SysConst.dcu file from the \Lib where the Delphi compiler is installed.
- Rename the SysConst.bak file present in the \Lib to Sysconst.dcu
Removal -
Removal -
All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
