Broadband Tech > Security > Security > Win32:Induc, new concept of file infector?

reply to jeno

Re: Win32:Induc, new concept of file infector?

An important note about this virus:

If you don't have Delphi (version 4, 5 6, or 7) installed, this virus does absolutely nothing. Your anti-virus will report an infected exe as a threat, but it will not harm your system. Simply remove the infected exe.

And for those that do have the above version(s) of Delphi installed, all it does is benignly infect software as described in an earlier post.

Obviously some sort of "proof of concept" that got into the wild.

But of course, malicious forms of this are likely coming. The Delphi community is working to counter that threat. And other development environments are vulnerable as well.

I had a few problems with this virus also.
How do you determine if you have any versions of Delphi installed,and should you uninstall any and all versions of Delphi?

I did a search for all files and folders, and found a Borland Delphi version 7 located in my Win utilities/ hc_plugins/ third party apps folder. Should I delete it?

I'm really confused by this Delphi issue.

Thanks

Delphi isn't "installed" per se. There's two parts here. The first part is the Delphi compiler, and the second part is the software compiled with it. Let's go over a very high-level view of what's happening here.

Where this starts is in the library files used by the Delphi compiler. This virus infects the library source files, and the end result is that whenever a program is compiled with the Delphi compiler, the program itself now contains the virus.

Then, the person/company that compiled that program puts it up on their website or distributes it however they choose, which allows the virus to spread to other machines. When the virus hits another machine, it checks to see if a Delphi compiler is present, and if so then it infects the compiler so that now this compiler also includes the virus in any programs made with it.

And if you have a Delphi compiler on your system - which would probably mean you're writing programs using some form of an Integrated Development Environment such as Borland Delphi or CodeGear Delphi - then the concern would be to make sure your libraries aren't infected. I'll take a bet that you don't have a Delphi compiler on your system, but if you do, then it'd be a good idea to check it out.

The part you're probably interested in is the second part - where the program obtained from the author contains the virus. It's important to note that simply having programs that were written using Delphi are just fine. The thing we're focused on here is if the file contains the virus code. If it does, then the virus needs to go, but if not, then it's alright to have.

If you had a couple files that were detected as Induc, the way to go is to address the infected files (as in: use your antivirus software) and contact any vendors whose software is infected and see if they have a new version that's Induc-free.

Hopefully this helps.

//Aaron

---
Aaron Hulett | Microsoft Malware Protection Center
This post is provided "AS IS" without warranty, and confers no rights.

Thanks for the explanation Aaron. Curiously the .728 version of Glary Utilities was infected but was undetected by Avast until the .738 and clean version was released. It's still comforting to know that the virus was essentially harmless.
--
Knowledge is learning something new every day. Wisdom is letting go of something every day.

Aaron,

Great explanation. Thanks.
I assume I do not have the Delphi compiler as I am not a programmer. I believe you are right, in that I probably have a program that contains files written with the Delphi compiler.
I scanned those files and they were clean so I guess I can leave them alone.

The original problems I had with this virus were connected to Weather Pulse and Gmail Keeper. Both of these programs have since been updated to a clean version and everything seems ok now.

Thanks again.