Home / malware Win32.Induc.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Induc.A is also known as Virus.Win32.Induc.a;, W32/Induc, virus;, Win32.Induc;, W32.Induc.A.
Explanation :
This threat spreads by infecting the systems running the Delphi development environment. When the virus code is executed it will first check if Delphi (version 4 through 7) is installed on the computer by trying to open the following registry key:
KKLMSOFTWAREBorlandDelphi
If found, it will get the Delphi installation folder from the same registry key.
Next it will copy
%Delphi_Installation_Folder%SourceRtlSysSysConst.pas to %Delphi_Installation_Folder%LibSysConst.pas
and add its malicious code in the implementation section of this copy. This file will be then compiled, resulting an infected sysconst.dcu (Delphi compiled unit) but not before making a copy of the once clean sysconst.dcu file under sysconst.bak. Then the copy of sysconst.pas will be deleted.
As sysconst is included in each software compiled in Delphi, every program compiled with an infected Delphi will have the virus code embedded.
The malware does nothing if Delphi is not installed.
This threat has no payload besides self-replication.Last update 21 November 2011
