Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Induc.A
Date discovered:18/08/2009
Type:File infector
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Low to medium
Damage Potential:Low
Static file:No
VDF version:7.01.05.130

 General Aliases:
   •  Symantec: W32.Induc.A
   •  Mcafee: W32/Induc
   •  Kaspersky: Virus.Win32.Induc.a
   •  Sophos: W32/Induc-A
   •  Eset: Win32/Induc.A
   •  Bitdefender: Win32.Induc.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


 Special detection  W32/Induc.A

Description:
The infected file checks if the Delphi development environment is installed, therefore it checks for one of the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Borland\Delphi\4.0,
HKEY_LOCAL_MACHINE\SOFTWARE\Borland\Delphi\5.0,
HKEY_LOCAL_MACHINE\SOFTWARE\Borland\Delphi\6.0,
HKEY_LOCAL_MACHINE\SOFTWARE\Borland\Delphi\7.0.

If Delphi is installed, a backup file of the original "%Delphi_RootDir%\lib\SysConst.dcu" is saved as "%Delphi_RootDir%\lib\SysConst.bak". This acts like a flag for the malware that the environment was already infected.

It copies the file "%Delphi_RootDir%\source\rtl\sys\SysConst.pas" to "%Delphi_RootDir%\lib\SysConst.pas", modifies "%Delphi_RootDir%\lib\SysConst.pas" and compiles it to the "%Delphi_RootDir%\lib\SysConst.dcu" library. It then deletes the modified "SysConst.pas" file.

As a result any programs built subsequently with the infected Delphi installation will be infected.

If the RootDir value of HKEY_LOCAL_MACHINE\SOFTWARE\Borland\Delphi\x.0 is invalid the infected file crashes with the following error message:



If there is no Delphi environment installed on the system, the infected file will run without infecting other files.

Description inserted by Andrei Ivanes on Monday, August 24, 2009
Description updated by Andrei Ivanes on Monday, August 24, 2009

Back . . . .