Virus Induc

Original issue date: August 31, 2009

It has been observed that a virus named Induc is spreading. It infects software built with the Delphi programming language at compilation time.

The malware first checks to see if the Delphi version is between 4 to 7, then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas by its own malicious code. The malware then deletes SysConsts.pas file.

The malware saves a clean copy of SysConsts.dcu as SysConst.bak and adds a call to its own init function at the entry point of the SysConsts.dcu library. Hence any Delphi program that is compiled by the infected Delphi compiler will get infected. Each new build (using SysConst.dcu – practically all) of any Delphi project on an infected machine produces an infected file.

Software companies specializing in developing applications with Delphi are at higher risk of infection.

A sample malicious code snippet after compiling a program with an infected version of SysConsts.dcu file is as shown below: ( Source: F-Secure )

References

http://www.viruslist.com/en/weblog?weblogid=208187826
http://www.f-secure.com/weblog/archives/00001752.html
http://blog.avast.com/2009/08/19/win32induc-new-concept
-of-file-infector/
http://www.sophos.com/blogs/gc/g/2009/08/19/w32induca-
spread-delphi-software-houses/
http://www.securityfocus.com/brief/999

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003