Back to Newsroom

19 August 2009

The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed.

BitDefender� today announced the discovery of a threat that directly affects many applications, including TabBrowser v1.0, GreenOpen, WebMoney Keeper Classic v3.7.0.0, Tidy Favorites v4.1 and any TV Free v2.41. The applications were being distributed with the virus code already embedded, due to an unusual trick employed by the malware author or authors.

The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed. Any programs which are subsequently compiled using the compromised compiler contain the virus code. Although no payload is dropped or malicious action taken other than self-reproduction, the spreading of this virus to installer packages proves that this extremely unusual infection vector is, in fact, valid and relevant today, raising concerns that it will eventually be used to nefarious purposes.

When executed, the virus searches for valid Delphi compiler versions and, if found, creates a SysConst.pas file inside the compilers \Lib folder. It writes its code inside it, then renames the SysConst.dcu into SysConst.bak. The .pas file will be compiled then deleted. The resulting SysConst.dcu is used by the compiler in every compilation act, which automatically creates infected executables by including the malicious code from inside the SysConst.dcu.

An interesting aspect about the epidemic is that not only legitimate applications have been infected, BitDefender antivirus researchers found that several members of the Trojan.Banker malware �family� have been compromised by Win32.Induc.A.

Detected by BitDefender as Trojan.Downloader.JMGZ, Trojan.Spy.Banker.ABWA � ABWC, Trojan.Spy.Banker.ABWK � ABWQ and so on, these trojans target local banks, namely Caixa � Spain�s biggest savings bank and Bradesco � a notable bank in Brazil.

Delphi developers are advised to check if their compilers' \Lib folder contains a SysConst.bak file (the most obvious sign of infection) and to rename it to SysConst.dcu if it exists, overwriting the compromised file, then recompile their applications.

 Share

 

Contacts