Virus:Win32/Induc.A is a virus that infects Delphi library source files. Any executables compiled/linked by the Delphi compiler on the affected machine will contain the malicious code.
Virus:Win32/Induc.A attempts to locate the installed Borland Delphi root directory by searching the registry for the following entry:
Under Subkey: HKLM\Software\Borland\Delphi\x.0\
where x is the version number of Delphi, (the value is generally from 4 to 7, although for some variants it is from 4 to 8).
Virus:Win32/Induc.A copies source\rtl\sys\SysConst.pas (Delphi library source file), in the found Delphi root directory to lib\SysConst.pas. Then it appends malicious source code to the copied file.
Virus:Win32/Induc.A renames the original Delphi library file lib\SysConst.dcu to lib\SysConst.bak and then invokes the Delphi compiler (bin\dcc32.exe) to compile a new copy of SysConst.dcu with the replaced copy (lib\sysConst.pas) of the source file. Finally, Virus:Win32/Induc.A deletes the file lib\SysConst.pas and sets the new compiled lib\Sysconst.dcu to the same date/time as the original copy.
After a computer is infected by Virus:Win32/Induc.A, ALL files compiled/linked by the Delphi compiler on that computer will be infected.
Analysis by Chun Feng
There are no obvious symptoms that indicate the presence of this malware on an affected machine.