Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

August 19th, 2009

Win32:Induc, new concept of file infector?

A few days ago, Andreas Marx (independent AV tester) sent all AV companies a file infected by “Delphi Source Code infector”. This file was linked by chip.de and a few others. Two days ago an analysis of this innovative file infector was published by Kaspersky Lab and F-Secure. But this is just the recent media bubble. This virus is actually several months old and all AV companies were blind. Why?

Till now, file infectors (like Virut, Sality, Parite, …) have modified executable files on the victim’s machine. They appended their body and changed the entry point – “thats all”. Win32:Induc is different. The infected file looks for the Borland Delphi compiler on the victim’s machine. If Delphi is found, the source file SysConst.pas is replaced by a malicious one and is compiled into SysConst.dcu. Each new build (using SysConst.dcu – practically all) of any Delphi project on an infected machine produces an infected file. This malware is produced by “white” programmers without their permission. Many files are digitally signed and distributed globally through download servers.

A few statistics: A few hours after VPS update 090818-0 (contains detection Win32:Induc) we received hundreds of suspected “false positive alerts” – all of them were infected. In the last 12 hours (since VPS was released) avast! has found ~200 000 infected files.

Categories: analyses, Virus Lab Tags: , ,
  1. Tech
    August 19th, 2009 at 16:24 | #1

    Yeah…
    Microsoft Security Essentials is detecting Glary Utilities executables compiled with Delphi as being infected. Are they false positives or Glary is really infected?

    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fInduc.A&threatid=2147627628

  2. August 19th, 2009 at 16:39 | #2

    Glary Utilities (build 2.15.0.728) is infected. Last build 2.15.0.738 from 18. August is clean.

  3. spg SCOTT
    August 19th, 2009 at 23:03 | #3

    Michal Trs :
    Glary Utilities (build 2.15.0.728) is infected. Last build 2.15.0.738 from 18. August is clean.

    Are you sure?
    http://forum.avast.com/index.php?topic=47792

  4. Gil
    August 19th, 2009 at 23:11 | #4

    So… My Weather Pulse software is infected (“Sign of “Win32:Induc” has been found in “C:\program files\Weather Pulse\Weather Pulse”). What to do?

  5. August 19th, 2009 at 23:32 | #5

    @Gil
    Dear Gil, you should uninstall / delete it and wait for new release of this application. This must be fixed on developers side. Their must replace source code file SysConst.pas by original one and rebuild SysConst.dcu. Then rebuild “virus clean” application. It’s easy…

  6. Rey
    August 20th, 2009 at 00:27 | #6

    Is this a false postive alert?, since Avast detected Win32: induct in my computer and some files were ereased by me instead of moving it to the virus vault

  7. spg SCOTT
    August 20th, 2009 at 01:12 | #7

    @spg SCOTT
    Ignore that last post, turns out you were right :)

    For those asking about ‘False Positives’ etc. – the best place to ask would be the help forum:
    http://forum.avast.com

  8. Francine
    August 20th, 2009 at 02:14 | #8

    Keep it simple for me. Win32Induc, is it a problem or not?

  9. Milos
    August 20th, 2009 at 09:32 | #9

    Francine :
    Keep it simple for me. Win32Induc, is it a problem or not?

    Yes, it is problem if it is detected on your computer and if you have installed Delphi ver. 4 — 7. No false positive vas detected yet.

  10. YoKenny
    August 20th, 2009 at 10:04 | #10

    It is a problem with applications compiled with infected Dephi compiler.
    The application developers are probably aware of this now and are busy disinfecting their systems and then re-compiling their application to release a non-infected version.
    As spg SCOTT says it is best to follow this in the help forum:
    http://forum.avast.com/index.php?topic=47773.0

  11. Milos
    August 20th, 2009 at 10:23 | #11

    How to get rid of Win32:Induc infection:

    For Delphi application developers the fastest way to disinfect Delphi is to delete “<Delphi directory>\Lib\SysConst.dcu” and copy “SysConst.bak” to “SysConst.dcu” in the same directory. The remaining SysConst.bak keeps system from repeated infections.
    And of course compile applications again.

    For other users, the way to get rid of infected application is to uninstall/delete application and wait for new release and of course scan new release to make sure, that author disinfected his Delphi.

  12. August 20th, 2009 at 10:40 | #12

    The detection is accurate. If the whole virus body is found, then Avast! report virus Win32:Induc. This detection can’t product false positive alerts.

  13. Denise Benner
    August 20th, 2009 at 13:14 | #13

    so how do we fix this. I woke up to like 10 alerts for win32 induc.. avast is dead in the water Im in safemode. Ive repaired it and waiting to reboot .
    Denise

  14. Karrier
    August 20th, 2009 at 17:51 | #14

    Just one question: can you get this virus alert on Avast if you don’t have Delphi?
    I think I didn’t install Delphi but Avast says I’m infected.
    Also I cant really locate the Delphi folder…

  15. August 20th, 2009 at 18:26 | #15

    @Karrier
    Answer is yes. Actually I think, that almost all infected file by Win32:Induc is found on computers without Delphi compiler.

    Developer using Delphi has been infected by Win32:Induc (without permission). Since this moment all recompiled project become infected. Projects are uploaded to download server and is world wide distributed. You simply download this infected project…

  16. saj
    August 21st, 2009 at 01:33 | #16

    What damage will the virus cause if not detected on users pc?

  17. August 21st, 2009 at 01:41 | #17

    Looks like news spreads fast about Win32:Induc, huh? Then again, it IS spreading its malicious presence all over the internet.

    Well, one of my Grand Theft Auto IV modifications, GTA IV File Check Fix v1.0.4.0, is now infected with this dreaded Win32:Induc virus. (http://www.gtagaming.com/downloads/gta-iv/script-mods/2432).

    If you have this mod’ installed on your computer, scan it immediately. Delete it pronto if it is infected.

    I’ve also noticed that files which are infected with Win32:Induc try to add a copy of its Win32:Induc virus to your AppData folder on your computer. avast! stopped it on my P.C., though! Nice.

    Thanks for keeping us informed, ALWIL Software!

  18. August 21st, 2009 at 01:47 | #18

    @saj

    Not sure. All I know is that Induc isn’t good news. (Then again, no malware is good, is it?)

  19. Milos
    August 21st, 2009 at 07:08 | #19

    saj :
    What damage will the virus cause if not detected on users pc?

    It affects only systems with installed Delphi ver. 4 — 7. It creates backup of SysConst.dcu (SysConst.bak), creates file SysConst.pas, compiles it to SysConst.dcu changes date of file to original one. This unit is included in majority Delphi projects, so new compiled applications are infected.

  20. August 21st, 2009 at 14:49 | #20

    “What damage will the virus cause if not detected on users pc?”

    Absolutely nothing. This ‘virus’ is malign and the only thing it does is replicate itself. And even then, as it only modifies Delphi files (not other exe’s like a normal virus), it will only infect a machine with Delphi versions prior to V8 installed on them.

    If you do have a third-party Delphi-compiled exe file which is infected, but don’t have Delphi installed then don’t worry – just get the latest clean version of the app when it becomes available.

    More of a worry is when the ‘developers’ of this virus take it to the next level and add a malicious ‘payload’ to the virus…

    TenBaz

  21. Ian
    August 21st, 2009 at 16:38 | #21

    I just turned on my computer for the first time this morning. 7:20 AM PDST, Friday.

    I don’t usually pay attention during turn-on but noticed a pop-up that Norton Internet Security 2009 reported that it found W32.Induc.A and removed it. It was in d:\program files\icon commander\iconcommander.exe downloaded from GOTD.

    Norton says that it’s Severity is HIGH.

    It appeared within a minute of going to Firefox.

  22. 乐平
    August 22nd, 2009 at 03:56 | #22

    是不是因为这个问题我的工具软件用不了了?我只好把AVAST关掉.

  23. Regulus
    August 22nd, 2009 at 18:44 | #23

    F-secure already detected this virus on Aug 16th on my computer pointing to two Glary Utilities files by the name of “joinexe.exe” and “encryptexe.exe” .. I did email Glary support on Aug 17th but they did not give me any sign of life …
    Is it still not clear what the damage that is caused by this infection is?

  24. Translater
    August 24th, 2009 at 00:55 | #24

    乐平 :
    是不是因为这个问题我的工具软件用不了了?我只好把AVAST关掉.

    Translation: Is this why my equipment is no longer working? I have no choice but to shut down AVAST.

  25. August 24th, 2009 at 19:41 | #25

    In theory, any software developer that writes their software with versions of Delphi prior to V8 can inadvertantly distribute infected exe’s.

    However, as I said before, at the moment the ‘virus’ ONLY targets installations of Delphi, so if you don’t use Delphi, it’s harmless – regardless of what Norton says (many AV products overstate the case to frighten Joe Public and make him think it would have been the end of the world had he not been using it)! :)

    If you desperately need to use an infected file and you don’t have Delphi installed you shouldn’t have any problems, (assuming that your AV software doesn’t automatically zap it).

    The major problem is that although the infection might not directly infect you, there is the chance that you might transfer it to someone else who does use Delphi – hence I assume the High Risk level suggested by Norton.

    It took me about a minute to get rid of it from my Delphi directory, recompiled my apps and replaced the infected ones on the other machines on the network. After doing this, all the other machines showed as clean, so it isn’t going to cause anyone any major headaches like a normal virus would – ie Windows re-install or loss of files…

    It was spotted and dealt with instantly by AVG Free so I can’t see why Avast should be any different. A machine freezing up suggests the problem is elsewhere.

    TB

  26. nancy millar
    August 25th, 2009 at 06:50 | #26

    HELP!!! i need to get this GREEN AV off my computer scanned and 1 part/file was dumped but the other 2 files it says unable to scan! been dealing with this for hrs! the virus for a week now the program trying to delete it for several hrs not getting anywhere
    pleasee help!

  27. August 25th, 2009 at 15:34 | #27

    GSA has developed a freeware tool that could remove the Win32/Induc.A virus completely from executables and let you start them again without your anti virus complaining about it.

    http://www.gsa-online.de/eng/delphi_induc_cleaner.html

  28. xatzaras
    August 25th, 2009 at 20:52 | #28

    hello!

    urgent notice to avast moderators.

    PLEASE LOOK HERE FOR AVAST CRITICAL VULNERABILITY FOUND:

    http://www.securityfocus.com/bid/36115/discuss

  29. Anon
    August 25th, 2009 at 22:23 | #29

    Unblock The Pirate Bay!

  30. August 25th, 2009 at 22:55 | #30

    Thank you for all comments. This comments space is not a good area to discuss malware infections / problems with Avast / blocked domains (it’s usually long communication). Please go to http://forum.avast.com and ask our users community – there are very skilled guys who may help you.

  31. Stephen Camm
    August 27th, 2009 at 22:17 | #32

    Win32 induc will destroy your system. Here’s what’s occurred thus far and I have left a test build running, accessing applications.

    It came from Glary Utilities…..DETECTED AFTER I reloaded Avast (anti-virus)
    Secondly…IT WIPED OUT AVAST when I disabled it (not connected to the net).
    The latter was done as the original symptom was an inability to get the net and I was working thru networking solutions.
    It has also wiped out system restore, Malwarebyte, event viewer.
    Currently in the process of seeing if I can fix this system without doing a repair or reinstall. It’s messy.

  32. GeoffK
    August 28th, 2009 at 21:03 | #33

    Troubleshooting a customer’s computer. After discovering that the device manager seemed to be missing, I ran a boot scan with AVAST. Found: C:\program files\Iobit\Iobit Security\Ffsweep.dll was infected with WIN32:INDUC. I found it interesting in the previous posts that developers may be inadvertently pushing this thing out with program updates. IOBIT is the maker of Advanced System Care, which is in use on this machine (and many of ours too). I wonder if this thing rode piggyback on a ASC update?????

  33. Juan Silva
    September 1st, 2009 at 07:43 | #34

    Alwil should accept donations for the Avast Home, like Spybot Search & Destroy, SUPERAntiSpyware and Openoffice.org do with their software.
    Greetings from Chile of Juan, a fan of Avast Home.

  34. Juan Silva
    September 1st, 2009 at 08:33 | #35

    The user donations from around the world, are a good way to permanently strengthen Avast Home.

  35. Juan Silva
    September 1st, 2009 at 09:18 | #36

    Avast can beat to Avira and AVG. I even think that Avast can become the best antivirus in the world. However, Avast Home, must always remain strong and should be done through donations from around the world.

  36. Averroes
    September 5th, 2009 at 05:04 | #37

    Avast, AVG, or Avira. All say “Game Booster” (IOBit freeware) is infected.

  37. September 5th, 2009 at 21:23 | #38

    YoKenny :
    It is a problem with applications compiled with infected Dephi compiler.
    The application developers are probably aware of this now and are busy disinfecting their systems and then re-compiling their application to release a non-infected version.
    As spg SCOTT says it is best to follow this in the help forum:
    http://forum.avast.com/index.php?topic=47773.0

  38. 808tida
    September 6th, 2009 at 07:58 | #39

    i need help big time. i have avast and i think i got a huge virus downloaded from a iframe. long story short there was a fake virus scanner downloaded on my computer, my avast wont work if i click it i get a “not allowed to access” message, i cant system restore because all the bold dated were deleted, and now my desktop icons & taskbar is gone and i cant right click. i can only gain access to programs via task manager which is how im online right now… my explorer.exe file is gone/corrupted and i get the same message i get when i try to open avast. i tried doing the safe mode thing… all the same.. no restore, avast wont work and i tried redownloading avast and opening again but i keep getting the same message. it corrupts avast as soon as its installed. the only thing i can do is the boot scan when you restart your computer after downloading avast but that doesnt recognize any virus. im getting pop ups and search engine hijacks. and my computer and internet is really slow now.. lots of things wont even load like i tried to go to photobucket to upload my pictures so they wouldnt be lost but i cant even get photobucket to load. some sites that im trying to join for info about this will have a captcha and i cant even see them. I tried downloading other anti virus software like avg which i can get to open but if i hit “scan” nothing happens.. i uploaded superantispyware but that wont even open it just gives the “end program” message. im lost.. anyone know what i can do? please help.

Comments are closed.