approval from:
antdude 
| Win32:Induc, new concept of file infector? Win32:Induc, new concept of file infector?:
August 19th, 2009
A few statistics: A few hours after VPS update 090818-0 (contains detection Win32:Induc) we received hundreds of suspected “false positive alerts” – all of them were infected. In the last 12 hours (since VPS was released) avast! has found ~200 000 infected files.
»blog.avast.com/2009/08/19/win32i···nfector/
This infection has been discovered 2 days ago and all AV vendors add its detection into their virus databases because its flaged as ITW (In The Wild). But this infection may be old - no one know how old, but many software developers are infected and their software releases are infected too. Even it is signed it is infected! They were submitting infected copies to singing companies.
The problem is that it is new technique to infect - executable infects source code (one delphi library) - any program built with delphi on infected machine is infected too.
So you can get clean installation only! after software producer will be clean and will release absolutely new version. Or you may rollback to some old version which is not infected.
»forum.avast.com/index.php?topic=47738.0 |
|
 Stem BoltAka Smiling BobPremium
join:2002-11-08
Cleveland, OH
kudos:2 | I came across a sample a few days ago. As of now, it's detected by around 24 anti-virus venders according to virustotal.com.
--
MS Security Essentials + Online Armor Free + Router/SPI |
|
|
|
Reviews:
 ·MTS
| reply to jeno
See also: »www.sophos.com/blogs/sophoslabs/post/6195
»www.sophos.com/blogs/sophoslabs/v/post/6189
»www.sophos.com/blogs/sophoslabs/post/6117
»www.sophos.com/blogs/gc/g/2009/0···-houses/
»www.f-secure.com/weblog/archives···752.html |
|
| reply to jeno
said by jeno :
- any program built with delphi on infected machine is infected too.
Not quite true. Only programs built WITHOUT runtime VCL package or without debug DCUs are infected.
If you build with runtime VCL package, or link the debug DCUs, your applications will be clear. |
|
 mousePremium
join:2007-03-29
australia | reply to jeno
Very interesting - so what exactly does the virus?
If it has been sitting on a pc for several months without being detected, what potential damage has already been done.
Also, how difficult is it to get rid of it? |
|
Jrb2Premium
join:2001-08-31
kudos:3 | reply to jeno
Some ESET links:
»www.eset.eu/press/new-virus-win3···a-delphi
Blog from Randy Abrams called "The Retro-Virus" from 19 Aug 2009:
»www.eset.com/threat-center/blog/ |
|
 ahulettLife Without WallsPremium,VIP
join:2003-02-02
Bellevue, WA
kudos:2 | reply to jeno
The problem is that it is new technique to infect... No, this isn't a new concept. The idea's been around for a long time. We're just experiencing it at the moment and going through panic mode / shock for some reason. This really isn't that groundbreaking.
Our encyclopedia entry, for those interested: »www.microsoft.com/security/porta···fInduc.A
--
Aaron Hulett | Malware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights.
Did you opt-out of Comcast's Domain Helper Service? »preview.tinyurl.com/lfz9e4 |
|
joybear
join:2002-09-10
San Diego, CA | reply to mouse
An important note about this virus:
If you don't have Delphi (version 4, 5 6, or 7) installed, this virus does absolutely nothing. Your anti-virus will report an infected exe as a threat, but it will not harm your system. Simply remove the infected exe.
And for those that do have the above version(s) of Delphi installed, all it does is benignly infect software as described in an earlier post.
Obviously some sort of "proof of concept" that got into the wild.
But of course, malicious forms of this are likely coming. The Delphi community is working to counter that threat. And other development environments are vulnerable as well. |
|
| I had a few problems with this virus also.
How do you determine if you have any versions of Delphi installed,and should you uninstall any and all versions of Delphi?
I did a search for all files and folders, and found a Borland Delphi version 7 located in my Win utilities/ hc_plugins/ third party apps folder. Should I delete it?
I'm really confused by this Delphi issue.
Thanks |
|
ahulettLife Without WallsPremium,VIP
join:2003-02-02
Bellevue, WA
kudos:2 | Delphi isn't "installed" per se. There's two parts here. The first part is the Delphi compiler, and the second part is the software compiled with it. Let's go over a very high-level view of what's happening here.
Where this starts is in the library files used by the Delphi compiler. This virus infects the library source files, and the end result is that whenever a program is compiled with the Delphi compiler, the program itself now contains the virus.
Then, the person/company that compiled that program puts it up on their website or distributes it however they choose, which allows the virus to spread to other machines. When the virus hits another machine, it checks to see if a Delphi compiler is present, and if so then it infects the compiler so that now this compiler also includes the virus in any programs made with it.
And if you have a Delphi compiler on your system - which would probably mean you're writing programs using some form of an Integrated Development Environment such as Borland Delphi or CodeGear Delphi - then the concern would be to make sure your libraries aren't infected. I'll take a bet that you don't have a Delphi compiler on your system, but if you do, then it'd be a good idea to check it out.
The part you're probably interested in is the second part - where the program obtained from the author contains the virus. It's important to note that simply having programs that were written using Delphi are just fine. The thing we're focused on here is if the file contains the virus code. If it does, then the virus needs to go, but if not, then it's alright to have.
If you had a couple files that were detected as Induc, the way to go is to address the infected files (as in: use your antivirus software) and contact any vendors whose software is infected and see if they have a new version that's Induc-free.
Hopefully this helps.
//Aaron
---
Aaron Hulett | Microsoft Malware Protection Center
This post is provided "AS IS" without warranty, and confers no rights. |
|
 antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 | reply to jeno
Glary Utilities had two infected files because of this. The newer version fixed the problem in case anyone uses it. See »forum.glarysoft.com/viewtopic.php?f=4&t=342 for details. |
|
 PentangleWith our thoughts we make the world.Premium
join:2006-06-01
Vancouver BC
kudos:1
 ·Shaw
| reply to ahulett
Thanks for the explanation Aaron. Curiously the .728 version of Glary Utilities was infected but was undetected by Avast until the .738 and clean version was released. It's still comforting to know that the virus was essentially harmless.
--
Knowledge is learning something new every day. Wisdom is letting go of something every day.
|
|
| Aaron,
Great explanation. Thanks.
I assume I do not have the Delphi compiler as I am not a programmer. I believe you are right, in that I probably have a program that contains files written with the Delphi compiler.
I scanned those files and they were clean so I guess I can leave them alone.
The original problems I had with this virus were connected to Weather Pulse and Gmail Keeper. Both of these programs have since been updated to a clean version and everything seems ok now.
Thanks again. |
|
