There's been a lot of fuss in the media lately, with news from all the major antivirus companies being printed and reprinted. And all the news is on the same topic – something we haven't seen since Kido (Conficker) and the latest Adobe vulnerabilities. The source of all the fuss? Virus.Win32.Induc.a.
Induc was such an unusual case that initially we just published a short blog giving technical details about the virus. Now there's time to step back, take a breath, and assess Induc's real impact.
The name relates directly to the virus functionality. Once it's on the victim machine, it checks to see if Delphi is installed – it targets versions 4.0, 5.0, 6.0 and 7.0. If it detects one of these versions of Delphi, it copies the .pas file it's going to use (in this case, sysconst.pas) to \Source to \Lib and adds its code to the file. It makes a backup of sysconst.dcu, calling it sysconst.bak, and compiles the infected .pas file, which results in a new sysconst.dcu containing malicious code. The infected .pas file then gets deleted.
We recently added detection for a file infector to our databases, for something we call Virus.Win32.Induc.a. Since then, we've had a load of questions about it. It doesn't currently have a malicious payload, and it doesn't directly infect .exe files. Instead, it checks if Delphi is installed on the victim machine, looking for versions 4.0, 5.0, 6.0 and 7.0.
If the malware does find one of these Delphi versions, it copies SysConst.pas to \Lib and writes its code to it. It then makes a backup of SysConst.dcu, calling it SysConst.bak (dcu files are kept in \Lib). It then compiles \Lib\SysConst.pas giving an infected version of SysConst.dcu. The modified .pas file gets deleted.
var sc:array[1..24] of string=('uses windows; var sc:array[1..24] of string=(', 'function x(s:string):string;var i:integer;begin for i:=1 to length(s) do if s[i]',
'=#36 then s[i]:=#39;result:=s;end;procedure re(s,d,e:string);var f1,f2:textfile;', 'h:cardinal;f:STARTUPINFO;p:PROCESS_INFORMATION;b:boolean;t1,t2,t3:FILETIME;begin',
'h:=CreateFile(pchar(d+$bak$),0,0,0,3,0,0);if h<>DWORD(-1) then begin CloseHandle', "
The result – any Delphi program compiled on the computer gets infected. (We've already had a company contacting us to complain about something they thought was a false positive.) Maybe this particular virus isn't that much of a threat: it's not the first time we've seen this propagation method, the code itself is primitive, there's no other payload, and there are far easier ways to infect machines. But in the past we've seen new infection routines get picked up, tweaked, and taken further. We'll be keeping an eye on this one, just in case.