August 2009
BitDefender Finds Win32.Induc.A Puts Delphi Compilers at Risk and Compromises Legitimate Applications
The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed.
BitDefender╝ today announced the discovery of a threat that directly affects many applications, including TabBrowser v1.0, GreenOpen, WebMoney Keeper Classic v3.7.0.0, Tidy Favorites v4.1 and any TV Free v2.41. The applications were being distributed with the virus code already embedded, due to an unusual trick employed by the malware author or authors.
The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed. Any programs which are subsequently compiled using the compromised compiler contain the virus code. Although no payload is dropped or malicious action taken other than self-reproduction, the spreading of this virus to installer packages proves that this extremely unusual infection vector is, in fact, valid and relevant today, raising concerns that it will eventually be used to nefarious purposes.
When executed, the virus searches for valid Delphi compiler versions and, if found, creates a SysConst.pas file inside the compilers \Lib folder. It writes its code inside it, then renames the SysConst.dcu into SysConst.bak. The .pas file will be compiled then deleted. The resulting SysConst.dcu is used by the compiler in every compilation act, which automatically creates infected executables by including the malicious code from inside the SysConst.dcu.
An interesting aspect about the epidemic is that not only legitimate applications have been infected, BitDefender antivirus researchers found that several members of the Trojan.Banker malware ⌠family■ have been compromised by Win32.Induc.A.
Detected by BitDefender as Trojan.Downloader.JMGZ, Trojan.Spy.Banker.ABWA √ ABWC, Trojan.Spy.Banker.ABWK √ ABWQ and so on, these trojans target local banks, namely Caixa √ Spain▓s biggest savings bank and Bradesco √ a notable bank in Brazil.
Delphi developers are advised to check if their compilers' \Lib folder contains a SysConst.bak file (the most obvious sign of infection) and to rename it to SysConst.dcu if it exists, overwriting the compromised file, then recompile their applications.
About Bitdefender®
Bitdefender is the creator of one of the world's fastest and most effective lines of internationally certified internet security software. The company is an industry pioneer, introducing and developing award-winning protection since 2001. Today, Bitdefender technology secures the digital experience of around 400 million home and corporate users across the globe.
Recently, Bitdefender won a series of important awards and accolades in the global security industry, including "Product of the Year" by AV-Comparatives, "Best Repair 2012" by AV-Test, "Editor's Choice" and "The Best Antivirus for 2013" by PC Mag, that confirmed the antivirus software’s leadership status among security products.
More information about Bitdefender's products is available from the company's security press room. Additionally, Bitdefender publishes the HOTforSecurity blog, where readers can find stories from the underworld of internet fraud, scams, malicious software - and gossip.