Threat behavior
Virus:Win32/Induc.A is a virus that infects Delphi library source files. Any executables compiled/linked by the Delphi compiler on the affected machine will contain the malicious code.
Installation
Virus:Win32/Induc.A attempts to locate the installed Borland Delphi root directory by searching the registry for the following entry:
Value: RootDir
Under Subkey: HKLM\Software\Borland\Delphi\x.0\
where x is the version number of Delphi, (the value is generally from 4 to 7, although for some variants it is from 4 to 8).
Spreads via…
File infection
Virus:Win32/Induc.A copies source\rtl\sys\SysConst.pas (Delphi library source file), in the found Delphi root directory to lib\SysConst.pas. Then it appends malicious source code to the copied file.
Virus:Win32/Induc.A renames the original Delphi library file lib\SysConst.dcu to lib\SysConst.bak and then invokes the Delphi compiler (bin\dcc32.exe) to compile a new copy of SysConst.dcu with the replaced copy (lib\sysConst.pas) of the source file. Finally, Virus:Win32/Induc.A deletes the file lib\SysConst.pas and sets the new compiled lib\Sysconst.dcu to the same date/time as the original copy.
After a computer is infected by Virus:Win32/Induc.A, ALL files compiled/linked by the Delphi compiler on that computer will be infected.
Analysis by Chun Feng
Prevention
