Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


August 19th, 2009

Win32:Induc, new concept of file infector?

A few days ago, Andreas Marx (independent AV tester) sent all AV companies a file infected by “Delphi Source Code infector”. This file was linked by chip.de and a few others. Two days ago an analysis of this innovative file infector was published by Kaspersky Lab and F-Secure. But this is just the recent media bubble. This virus is actually several months old and all AV companies were blind. Why?

Till now, file infectors (like Virut, Sality, Parite, …) have modified executable files on the victim’s machine. They appended their body and changed the entry point – “thats all”. Win32:Induc is different. The infected file looks for the Borland Delphi compiler on the victim’s machine. If Delphi is found, the source file SysConst.pas is replaced by a malicious one and is compiled into SysConst.dcu. Each new build (using SysConst.dcu – practically all) of any Delphi project on an infected machine produces an infected file. This malware is produced by “white” programmers without their permission. Many files are digitally signed and distributed globally through download servers.

A few statistics: A few hours after VPS update 090818-0 (contains detection Win32:Induc) we received hundreds of suspected “false positive alerts” – all of them were infected. In the last 12 hours (since VPS was released) avast! has found ~200 000 infected files.

Categories: analyses, Virus Lab Tags: , ,
  • Tech

    Yeah…
    Microsoft Security Essentials is detecting Glary Utilities executables compiled with Delphi as being infected. Are they false positives or Glary is really infected?

    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fInduc.A&threatid=2147627628

  • http://www.avast.com Michal Trs

    Glary Utilities (build 2.15.0.728) is infected. Last build 2.15.0.738 from 18. August is clean.

  • spg SCOTT

    Michal Trs :
    Glary Utilities (build 2.15.0.728) is infected. Last build 2.15.0.738 from 18. August is clean.

    Are you sure?
    http://forum.avast.com/index.php?topic=47792

  • Gil

    So… My Weather Pulse software is infected (“Sign of “Win32:Induc” has been found in “C:\program files\Weather Pulse\Weather Pulse”). What to do?

  • http://www.avast.com Michal Trs

    @Gil
    Dear Gil, you should uninstall / delete it and wait for new release of this application. This must be fixed on developers side. Their must replace source code file SysConst.pas by original one and rebuild SysConst.dcu. Then rebuild “virus clean” application. It’s easy…

  • Rey

    Is this a false postive alert?, since Avast detected Win32: induct in my computer and some files were ereased by me instead of moving it to the virus vault

  • spg SCOTT

    @spg SCOTT
    Ignore that last post, turns out you were right :)

    For those asking about ‘False Positives’ etc. – the best place to ask would be the help forum:
    http://forum.avast.com

  • Francine

    Keep it simple for me. Win32Induc, is it a problem or not?

  • Milos

    Francine :
    Keep it simple for me. Win32Induc, is it a problem or not?

    Yes, it is problem if it is detected on your computer and if you have installed Delphi ver. 4 — 7. No false positive vas detected yet.

  • YoKenny

    It is a problem with applications compiled with infected Dephi compiler.
    The application developers are probably aware of this now and are busy disinfecting their systems and then re-compiling their application to release a non-infected version.
    As spg SCOTT says it is best to follow this in the help forum:
    http://forum.avast.com/index.php?topic=47773.0

  • Milos

    How to get rid of Win32:Induc infection:

    For Delphi application developers the fastest way to disinfect Delphi is to delete “<Delphi directory>\Lib\SysConst.dcu” and copy “SysConst.bak” to “SysConst.dcu” in the same directory. The remaining SysConst.bak keeps system from repeated infections.
    And of course compile applications again.

    For other users, the way to get rid of infected application is to uninstall/delete application and wait for new release and of course scan new release to make sure, that author disinfected his Delphi.

  • http://www.avast.com Michal Trs

    The detection is accurate. If the whole virus body is found, then Avast! report virus Win32:Induc. This detection can’t product false positive alerts.

  • Denise Benner

    so how do we fix this. I woke up to like 10 alerts for win32 induc.. avast is dead in the water Im in safemode. Ive repaired it and waiting to reboot .
    Denise

  • Pingback: Virus infiziert Delphi Entwicklungsumgebung - Paules-PC-Forum.de

  • Karrier

    Just one question: can you get this virus alert on Avast if you don’t have Delphi?
    I think I didn’t install Delphi but Avast says I’m infected.
    Also I cant really locate the Delphi folder…

  • http://www.avast.com Michal Trs

    @Karrier
    Answer is yes. Actually I think, that almost all infected file by Win32:Induc is found on computers without Delphi compiler.

    Developer using Delphi has been infected by Win32:Induc (without permission). Since this moment all recompiled project become infected. Projects are uploaded to download server and is world wide distributed. You simply download this infected project…

  • Pingback: Zero in a bit » Trust Your Own Code?! Trust Your Own Compiler?!

  • saj

    What damage will the virus cause if not detected on users pc?

  • http://nezman.webs.com Naean

    Looks like news spreads fast about Win32:Induc, huh? Then again, it IS spreading its malicious presence all over the internet.

    Well, one of my Grand Theft Auto IV modifications, GTA IV File Check Fix v1.0.4.0, is now infected with this dreaded Win32:Induc virus. (http://www.gtagaming.com/downloads/gta-iv/script-mods/2432).

    If you have this mod’ installed on your computer, scan it immediately. Delete it pronto if it is infected.

    I’ve also noticed that files which are infected with Win32:Induc try to add a copy of its Win32:Induc virus to your AppData folder on your computer. avast! stopped it on my P.C., though! Nice.

    Thanks for keeping us informed, ALWIL Software!

  • http://nezman.webs.com Naean

    @saj

    Not sure. All I know is that Induc isn’t good news. (Then again, no malware is good, is it?)

  • Milos

    saj :
    What damage will the virus cause if not detected on users pc?

    It affects only systems with installed Delphi ver. 4 — 7. It creates backup of SysConst.dcu (SysConst.bak), creates file SysConst.pas, compiles it to SysConst.dcu changes date of file to original one. This unit is included in majority Delphi projects, so new compiled applications are infected.

  • http://N/A TenBaz

    “What damage will the virus cause if not detected on users pc?”

    Absolutely nothing. This ‘virus’ is malign and the only thing it does is replicate itself. And even then, as it only modifies Delphi files (not other exe’s like a normal virus), it will only infect a machine with Delphi versions prior to V8 installed on them.

    If you do have a third-party Delphi-compiled exe file which is infected, but don’t have Delphi installed then don’t worry – just get the latest clean version of the app when it becomes available.

    More of a worry is when the ‘developers’ of this virus take it to the next level and add a malicious ‘payload’ to the virus…

    TenBaz

  • Ian

    I just turned on my computer for the first time this morning. 7:20 AM PDST, Friday.

    I don’t usually pay attention during turn-on but noticed a pop-up that Norton Internet Security 2009 reported that it found W32.Induc.A and removed it. It was in d:\program files\icon commander\iconcommander.exe downloaded from GOTD.

    Norton says that it’s Severity is HIGH.

    It appeared within a minute of going to Firefox.

  • 乐平

    是不是因为这个问题我的工具软件用不了了?我只好把AVAST关掉.

  • Regulus

    F-secure already detected this virus on Aug 16th on my computer pointing to two Glary Utilities files by the name of “joinexe.exe” and “encryptexe.exe” .. I did email Glary support on Aug 17th but they did not give me any sign of life …
    Is it still not clear what the damage that is caused by this infection is?

  • Pingback: Malware infecta c

  • Pingback: Pcmav 2.1 Terinfeksi Virus W32/Induct.A « khiang’s weblog

  • Translater

    乐平 :
    是不是因为这个问题我的工具软件用不了了?我只好把AVAST关掉.

    Translation: Is this why my equipment is no longer working? I have no choice but to shut down AVAST.

  • Pingback: Arvutikaitse » Blog Archive » Ebatavaline viirus W32.Induc.A

  • http://N/A TenBaz

    In theory, any software developer that writes their software with versions of Delphi prior to V8 can inadvertantly distribute infected exe’s.

    However, as I said before, at the moment the ‘virus’ ONLY targets installations of Delphi, so if you don’t use Delphi, it’s harmless – regardless of what Norton says (many AV products overstate the case to frighten Joe Public and make him think it would have been the end of the world had he not been using it)! :)

    If you desperately need to use an infected file and you don’t have Delphi installed you shouldn’t have any problems, (assuming that your AV software doesn’t automatically zap it).

    The major problem is that although the infection might not directly infect you, there is the chance that you might transfer it to someone else who does use Delphi – hence I assume the High Risk level suggested by Norton.

    It took me about a minute to get rid of it from my Delphi directory, recompiled my apps and replaced the infected ones on the other machines on the network. After doing this, all the other machines showed as clean, so it isn’t going to cause anyone any major headaches like a normal virus would – ie Windows re-install or loss of files…

    It was spotted and dealt with instantly by AVG Free so I can’t see why Avast should be any different. A machine freezing up suggests the problem is elsewhere.

    TB

  • Pingback: 無題なログ

  • nancy millar

    HELP!!! i need to get this GREEN AV off my computer scanned and 1 part/file was dumped but the other 2 files it says unable to scan! been dealing with this for hrs! the virus for a week now the program trying to delete it for several hrs not getting anywhere
    pleasee help!

  • http://www.gsa-online.de/eng/delphi_induc_cleaner.html GSA

    GSA has developed a freeware tool that could remove the Win32/Induc.A virus completely from executables and let you start them again without your anti virus complaining about it.

    http://www.gsa-online.de/eng/delphi_induc_cleaner.html

  • xatzaras

    hello!

    urgent notice to avast moderators.

    PLEASE LOOK HERE FOR AVAST CRITICAL VULNERABILITY FOUND:

    http://www.securityfocus.com/bid/36115/discuss

  • Anon

    Unblock The Pirate Bay!

  • http://www.avast.com Michal Trs

    Thank you for all comments. This comments space is not a good area to discuss malware infections / problems with Avast / blocked domains (it’s usually long communication). Please go to http://forum.avast.com and ask our users community – there are very skilled guys who may help you.

  • http://www.avast.com Michal Trs
  • Stephen Camm

    Win32 induc will destroy your system. Here’s what’s occurred thus far and I have left a test build running, accessing applications.

    It came from Glary Utilities…..DETECTED AFTER I reloaded Avast (anti-virus)
    Secondly…IT WIPED OUT AVAST when I disabled it (not connected to the net).
    The latter was done as the original symptom was an inability to get the net and I was working thru networking solutions.
    It has also wiped out system restore, Malwarebyte, event viewer.
    Currently in the process of seeing if I can fix this system without doing a repair or reinstall. It’s messy.

  • GeoffK

    Troubleshooting a customer’s computer. After discovering that the device manager seemed to be missing, I ran a boot scan with AVAST. Found: C:\program files\Iobit\Iobit Security\Ffsweep.dll was infected with WIN32:INDUC. I found it interesting in the previous posts that developers may be inadvertently pushing this thing out with program updates. IOBIT is the maker of Advanced System Care, which is in use on this machine (and many of ours too). I wonder if this thing rode piggyback on a ASC update?????

  • Juan Silva

    Alwil should accept donations for the Avast Home, like Spybot Search & Destroy, SUPERAntiSpyware and Openoffice.org do with their software.
    Greetings from Chile of Juan, a fan of Avast Home.

  • Juan Silva

    The user donations from around the world, are a good way to permanently strengthen Avast Home.

  • Juan Silva

    Avast can beat to Avira and AVG. I even think that Avast can become the best antivirus in the world. However, Avast Home, must always remain strong and should be done through donations from around the world.

  • Pingback: Delphi virüsü !!! « Ercan Erdoğan

  • Averroes

    Avast, AVG, or Avira. All say “Game Booster” (IOBit freeware) is infected.

  • http://gameBooster(IOBitfreeware) Deanna Baker

    YoKenny :
    It is a problem with applications compiled with infected Dephi compiler.
    The application developers are probably aware of this now and are busy disinfecting their systems and then re-compiling their application to release a non-infected version.
    As spg SCOTT says it is best to follow this in the help forum:
    http://forum.avast.com/index.php?topic=47773.0

  • 808tida

    i need help big time. i have avast and i think i got a huge virus downloaded from a iframe. long story short there was a fake virus scanner downloaded on my computer, my avast wont work if i click it i get a “not allowed to access” message, i cant system restore because all the bold dated were deleted, and now my desktop icons & taskbar is gone and i cant right click. i can only gain access to programs via task manager which is how im online right now… my explorer.exe file is gone/corrupted and i get the same message i get when i try to open avast. i tried doing the safe mode thing… all the same.. no restore, avast wont work and i tried redownloading avast and opening again but i keep getting the same message. it corrupts avast as soon as its installed. the only thing i can do is the boot scan when you restart your computer after downloading avast but that doesnt recognize any virus. im getting pop ups and search engine hijacks. and my computer and internet is really slow now.. lots of things wont even load like i tried to go to photobucket to upload my pictures so they wouldnt be lost but i cant even get photobucket to load. some sites that im trying to join for info about this will have a captcha and i cant even see them. I tried downloading other anti virus software like avg which i can get to open but if i hit “scan” nothing happens.. i uploaded superantispyware but that wont even open it just gives the “end program” message. im lost.. anyone know what i can do? please help.