August 2009
BitDefender Finds Win32.Induc.A Puts Delphi Compilers at Risk and Compromises Legitimate Applications
The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed.
BitDefender╝ today announced the discovery of a threat that directly affects many applications, including TabBrowser v1.0, GreenOpen, WebMoney Keeper Classic v3.7.0.0, Tidy Favorites v4.1 and any TV Free v2.41. The applications were being distributed with the virus code already embedded, due to an unusual trick employed by the malware author or authors.
The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed. Any programs which are subsequently compiled using the compromised compiler contain the virus code. Although no payload is dropped or malicious action taken other than self-reproduction, the spreading of this virus to installer packages proves that this extremely unusual infection vector is, in fact, valid and relevant today, raising concerns that it will eventually be used to nefarious purposes.
When executed, the virus searches for valid Delphi compiler versions and, if found, creates a SysConst.pas file inside the compilers \Lib folder. It writes its code inside it, then renames the SysConst.dcu into SysConst.bak. The .pas file will be compiled then deleted. The resulting SysConst.dcu is used by the compiler in every compilation act, which automatically creates infected executables by including the malicious code from inside the SysConst.dcu.
An interesting aspect about the epidemic is that not only legitimate applications have been infected, BitDefender antivirus researchers found that several members of the Trojan.Banker malware ⌠family■ have been compromised by Win32.Induc.A.
Detected by BitDefender as Trojan.Downloader.JMGZ, Trojan.Spy.Banker.ABWA √ ABWC, Trojan.Spy.Banker.ABWK √ ABWQ and so on, these trojans target local banks, namely Caixa √ Spain▓s biggest savings bank and Bradesco √ a notable bank in Brazil.
Delphi developers are advised to check if their compilers' \Lib folder contains a SysConst.bak file (the most obvious sign of infection) and to rename it to SysConst.dcu if it exists, overwriting the compromised file, then recompile their applications.
About Bitdefender®
Bitdefender is the creator of one of the world's fastest and most effective lines of internationally certified internet security software.Since 2001, the company has been an industry pioneer, introducing and developing award-winning protection. Today, Bitdefender technology secures the digital experience of around 400 million home and corporate users across the globe.
Recently, the company has won a range of key independent recommendations in the US, UK and across Europe, including ConsumerSearch, Which?, Stiftung Warentest and Taenk. Bitdefender antivirus technology has also finished top in leading industry tests from both AV Test and AV-Comparatives. More information about Bitdefender's antivirus products is available from the company's security solutions press room. Additionally, Bitdefender publishes Malware City providing the latest updates on security threats and helping users stay informed in the everyday battle against malware.