Follow:

 

Virus:Win32/Induc.A


Virus:Win32/Induc.A is a virus that infects Delphi library source files. Any executables compiled/linked by the Delphi compiler on the affected machine will contain the malicious code.
 
Note: We have received many reports of files, such as utilities and other programs, infected by Virus:Win32/Induc.A from the wild. When a computer is infected by Virus:Win32/Induc.A, ALL files compiled or linked by the Delphi compiler on that computer will be infected. It appears that a large number of freely available applications have been distributed unknowingly infected by this virus.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Virus:Win32/Induc.A is a virus that infects Delphi library source files. Any executables compiled/linked by the Delphi compiler on the affected machine will contain the malicious code.
Installation
Virus:Win32/Induc.A attempts to locate the installed Borland Delphi root directory by searching the registry for the following entry:
 
Value: RootDir
Under Subkey: HKLM\Software\Borland\Delphi\x.0\
 
where x is the version number of Delphi, (the value is generally from 4 to 7, although for some variants it is from 4 to 8).
Spreads via…
File infection
Virus:Win32/Induc.A copies source\rtl\sys\SysConst.pas (Delphi library source file), in the found Delphi root directory to lib\SysConst.pas. Then it appends malicious source code to the copied file.
 
Virus:Win32/Induc.A renames the original Delphi library file lib\SysConst.dcu to lib\SysConst.bak and then invokes the Delphi compiler (bin\dcc32.exe) to compile a new copy of SysConst.dcu with the replaced copy (lib\sysConst.pas) of the source file. Finally, Virus:Win32/Induc.A deletes the file lib\SysConst.pas and sets the new compiled lib\Sysconst.dcu to the same date/time as the original copy.
 
After a computer is infected by Virus:Win32/Induc.A, ALL files compiled/linked by the Delphi compiler on that computer will be infected.
 
Analysis by Chun Feng

Symptoms

There are no obvious symptoms that indicate the presence of this malware on an affected machine.

Prevention


Alert level: Severe
First detected by definition: 1.63.1599.0
Latest detected by definition: 1.191.1670.0 and higher
First detected on: Aug 18, 2009
This entry was first published on: Aug 18, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases