-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Virus Induc
http://172.17.10.50/virus/Virus_Induc.htm
Original issue date: August 31, 2009
It has been observed that a virus named Induc is spreading. It infects
software built with the Delphi programming language at compilation time.
The malware first checks to see if the Delphi version is between 4 to 7,
then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas by its own
malicious code. The malware then deletes SysConsts.pas file.
The malware saves a clean copy of SysConsts.dcu as SysConst.bak and adds a
call to its own init function at the entry point of the SysConsts.dcu
library. Hence any Delphi program that is compiled by the infected Delphi
compiler will get infected. Each new build (using SysConst.dcu –
practically all) of any Delphi project on an infected machine produces an
infected file.
Software companies specializing in developing applications with Delphi are
at higher risk of infection.
A sample malicious code snippet after compiling a program with an infected
version of SysConsts.dcu file is as shown below: ( Source: F-Secure )
Upon execution the Virus performs the following actions:
Copies SysConst.pas to \Lib and writes its code to it.
Creates a backup of SysConst.dcu, calling it SysConst.bak
Compiles \Lib\SysConst.pas giving an infected version of SysConst.dcu.
Deletes the modified .pas file.
Users are advised to implement the following countermeasures:
Search for the malicious files created by the Virus and delete the same.
The developers/vendors of software using Delphi may check infection of
their compilers to prevent creation of more infected programs
Maintain up-to-date Antivirus and Antispyware.
Apply up-to-date patches and fixes on the operating system and application
software.
References
http://www.viruslist.com/en/weblog?weblogid=208187826
http://www.f-secure.com/weblog/archives/00001752.html
http://blog.avast.com/2009/08/19/win32induc-new-concept
- -of-file-infector/
http://www.sophos.com/blogs/gc/g/2009/08/19/w32induca-
spread-delphi-software-houses/
http://www.securityfocus.com/brief/999
Disclaimer
The information provided herein is on "as is" basis, without warranty of
any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSpu5LXWXeYNsoT30AQqrhgf/cCxybfvwLcEX7aHrlTHhuapulv8qQ4XP
6OdTSvzBUvD+YrYQyzqr97OwxpexjHGdYI4141YyD51kbeeYo/wXS3NMtBSYjrb8
usUmQsJm8Jpayv1GGIn9eTZNRExoku59UMe6UWLb1ja2L1bByJ64iURdYjtemfAW
bZ2Bzx0prORhQb1GenOdozYsK4mSiJPvAWHP76Sgqr2uS2ZlMTiFvMGDFwVcZKkI
B8XxnScE/+xPPlP5fmiiiJ2pqowBdbzFKwo/w9ri8qPki4W/wEeG4IjT7pIIeZgh
R4sxlerM2KriClTm58fP9Uf0Uzwqes2R7bYJNUHzi5lILyTPQCUlhw==
=IO3i
-----END PGP SIGNATURE-----
No comments:
Post a Comment