Hi users of the unique NS extension,
Friends there is a new trend out among malcreants, trying to take out a whole class of software on a machine with a file infector coming by vector of the compiled program. If one of the programs you have is made with a certain version of Borland Delphi since to-day various av will flag this as Win32:Induc infected.
A program that I lost to this file infector is Event Log Exlorer [As Protect)- read an analysis of the malcode here:
http://www.viruslist.com/en/weblog?weblogid=208187826
and here: http://www.f-secure.com/weblog/archives/00001752.html
Also about the infection: http://forum.avast.com/index.php?topic=47738.0
or here: http://www.sophos.com/blogs/gc/g/2009/0 ... re-houses/
A number of 3000 programs have to be updated and signed anew. In addition, and quite ironically, we have seen a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A aka Win32: Induc.
Also MS flags it now since two days:n a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.
The applications were being distributed with the virus code already embedded, due to an unusual trick employed by the malware author or authors.
The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed. Any programs which are subsequently compiled using the compromised compiler contain the virus code. Although no payload is dropped or malicious action taken other than self-reproduction, the spreading of this virus to installer packages proves that this extremely unusual infection vector is, in fact, valid and relevant today, raising concerns that it will eventually be used to nefarious purposes. We'll keep you informed
luntrus aka polonus
Primitive file infector for Borland Delphi proggies
Primitive file infector for Borland Delphi proggies
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.0 (KHTML, like Gecko) Iron/3.0.189.0 Safari/531.0
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Primitive file infector for Borland Delphi proggies
This virus is not as new as people think. This was a POC that got out of hand about 3 months ago and it got out when some douche decided to release it into the wild. It can be kept at bay and prevented from spread relatively easily but still annoying. Here is a couple of recent articles for those interested:
http://www.computerweekly.com/Articles/ ... e-code.htm
http://news.zdnet.com/2100-9595_22-332782.html
http://www.computerweekly.com/Articles/ ... e-code.htm
http://news.zdnet.com/2100-9595_22-332782.html
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: Primitive file infector for Borland Delphi proggies
Quoth luntrus
No AV exes made with Borland, I trust ;-)
Oh, how nicely ironic. The biters bit :-)Also MS flags it now since two days:n a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.
No AV exes made with Borland, I trust ;-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Primitive file infector for Borland Delphi proggies
Actually Microsoft essential flagged it before anyone else or at the very least right as soon as many of the forerunners and they are still in private Beta. AntiVir flagged it shortly after and well the rest pretty much follow suit.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: Primitive file infector for Borland Delphi proggies
The "biter" I meant in luntrus' quote was banking trojan writers, not MS - - at least not this time :-)
a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Primitive file infector for Borland Delphi proggies
Gotcha!
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2