Home / malware

PDF

Virus:W32/Induc.A

First posted on 16 March 2010.
Source: SecurityHome

Aliases :

There are no other names known for Virus:W32/Induc.A.

Explanation :

A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.

Additional DetailsVirus:W32/Induc.A is a malware that targets Delphi program in the system. It displaces Delphi's original installation folder with %Delphi_Installation_Folder%\Lib\SysConst.pas, and adds malicious code here. Whenever a Delphi program is compiled, the malware's code will be executed to ensure that Delphi remains infected.


Installation process/actions
€ The malware searches for Delphi installation folder by checking for registry HKLM\Software\Borland\Delphi. € Once found, it copies %Delphi_Installation_Folder%\Source Rtl\Sys\SysConst.pas to %Delphi_Installation_Folder%\Lib\SysConst.pas. € It then adds malicious codes to %Delphi_Installation_Folder%\Lib\SysConst.pas, and one of the Delphi library file lib\SysConst.dcu will be renamed to lib\SysConst.bak. € The malware compiles the infected SysConst.pas to make a new SysConst.dcu. Therefore, from this point on, the Virus:W32/Induc.A code will be inserted whenever a Delphi program is compiled using the new SysConst.dcu.
€ Once done, the malware deletes %Delphi_Installation_Folder%\Lib\SysConst.pas.
Notes
€ The malware does not do anything else if no Delphi is installed in the infected system. € The malware has no other threats except self replicating

Last update 16 March 2010

 

TOP