Home / malware Virus:Win32/Induc.A
First posted on 12 April 2019.
Source: MicrosoftAliases :
There are no other names known for Virus:Win32/Induc.A.
Explanation :
Virus:Win32/Induc.A is a virus that infects Delphi library source files. Any executables compiled/linked by the Delphi compiler on the affected machine will contain the malicious code. InstallationVirus:Win32/Induc.A attempts to locate the installed Borland Delphi root directory by searching the registry for the following entry:
Value: RootDir
Under Subkey: HKLMSoftwareBorlandDelphix.0 where x is the version number of Delphi, (the value is generally from 4 to 7, although for some variants it is from 4 to 8). Spreads via… File infectionVirus:Win32/Induc.A copies source
tlsysSysConst.pas (Delphi library source file), in the found Delphi root directory to libSysConst.pas. Then it appends malicious source code to the copied file. Virus:Win32/Induc.A renames the original Delphi library file libSysConst.dcu to libSysConst.bak and then invokes the Delphi compiler (bindcc32.exe) to compile a new copy of SysConst.dcu with the replaced copy (libsysConst.pas) of the source file. Finally, Virus:Win32/Induc.A deletes the file libSysConst.pas and sets the new compiled libSysconst.dcu to the same date/time as the original copy. After a computer is infected by Virus:Win32/Induc.A, ALL files compiled/linked by the Delphi compiler on that computer will be infected. Analysis by Chun FengLast update 12 April 2019