Thursday, August 20, 2009

Virus Win32:Induc

Hi all,

this morning while I was programming in Delphi, with my IDE Delphi 7, I noticed that the exe that has been compiled it has been detected by my AV as a Virus.

My AV is Avast! and the exe compiled has been detected as Win32:Induc specifically.

Win32:Induc is a new emerging threat, exactly of 18/08/09.

I have google and looked on my PC and I can say this:

The virus, first searchs in the registry path HKLM\Software\Borland\Delphi\X.0\ RootDir key, that specifies the folder location of your Delphi IDE.

[ X indicates the version of your Delphi IDE installed on your PC ]

When it has been done this, the virus infects the file SysConst.pas, that is Delphi library source file, located in Source\Rtl\Sys\ .
Then, it searchs the directory \lib in the delphi's root directory, then it copies SysConst.pas to \bin directory and it injects malicious code in it.

Then, this Virus renames the original Delphi library file \lib\SysConst.dcu to \lib\SysConst.bak.

Instead of the original file .dcu, the virus invokes the Delphi compiler [ bin\dcc32.exe ] and it compils a new SysConst.dcu infected Delphi library file.

Soon, it erases the previous file .pas, infected with malicious code, or else SysConst.pas, and it sets the date and the time of new file SysConst.dcu with the same time/data of original file.

After all this things has been done, any project compiled with Delphi IDE will be infected automatically.
Indeed this is what happened to me :P

I resolved, or at least it seems, to this problem in this way:

- I deleted both SysConst files, or else .bak and .dcu from \lib;

- I replaced the original file of setup file folder SysConst.pas at path \Source\Rtl\Sys and I compiled it when I was going to compile my project.

These two simple steps appear to have solved the problem, in fact the exe file compiled didn't has been detected as infected file.

For this time is all, see you in the next post :)


1 comment:

  1. Nice discovery Antelox, i hope you'll find more interesting stuff in da future, i wish you all the best. ;)