Win32.Induc.A
HIGH
LOW
varies
(Virus.Win32.Induc.a; W32/Induc virus; Win32.Induc; W32.Induc.A)
Symptoms
Presence of a file named sysconst.bak in %Delphi_Installation_Folder%\Lib\ folder.
Removal instructions:
Please let BitDefender disinfect your files.
Overwrite %Delphi_Installation_Folder%\Lib\sysconst.dcu with %Delphi_Installation_Folder%\Lib\sysconst.bak
Analyzed By
Dana Stanut, virus researcher
Technical Description:
This threat spreads by infecting the systems running the Delphi development environment. When the virus code is executed it will first check if Delphi (version 4 through 7) is installed on the computer by trying to open the following registry key:
KKLM\SOFTWARE\Borland\Delphi\
If found, it will get the Delphi installation folder from the same registry key.
Next it will copy
%Delphi_Installation_Folder%\Source\Rtl\Sys\SysConst.pas to %Delphi_Installation_Folder%\Lib\SysConst.pas
and add its malicious code in the implementation section of this copy. This file will be then compiled, resulting an infected sysconst.dcu (Delphi compiled unit) but not before making a copy of the once clean sysconst.dcu file under sysconst.bak. Then the copy of sysconst.pas will be deleted.
As sysconst is included in each software compiled in Delphi, every program compiled with an infected Delphi will have the virus code embedded.
The malware does nothing if Delphi is not installed.
This threat has no payload besides self-replication.
SHARE
THIS ON