Primitive file infector for Borland Delphi proggies
Posted: Wed Aug 19, 2009 6:41 pm
Hi users of the unique NS extension,
Friends there is a new trend out among malcreants, trying to take out a whole class of software on a machine with a file infector coming by vector of the compiled program. If one of the programs you have is made with a certain version of Borland Delphi since to-day various av will flag this as Win32:Induc infected.
A program that I lost to this file infector is Event Log Exlorer [As Protect)- read an analysis of the malcode here:
http://www.viruslist.com/en/weblog?weblogid=208187826
and here: http://www.f-secure.com/weblog/archives/00001752.html
Also about the infection: http://forum.avast.com/index.php?topic=47738.0
or here: http://www.sophos.com/blogs/gc/g/2009/0 ... re-houses/
A number of 3000 programs have to be updated and signed anew. In addition, and quite ironically, we have seen a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A aka Win32: Induc.
Also MS flags it now since two days:n a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.
The applications were being distributed with the virus code already embedded, due to an unusual trick employed by the malware author or authors.
The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed. Any programs which are subsequently compiled using the compromised compiler contain the virus code. Although no payload is dropped or malicious action taken other than self-reproduction, the spreading of this virus to installer packages proves that this extremely unusual infection vector is, in fact, valid and relevant today, raising concerns that it will eventually be used to nefarious purposes. We'll keep you informed
luntrus aka polonus
Friends there is a new trend out among malcreants, trying to take out a whole class of software on a machine with a file infector coming by vector of the compiled program. If one of the programs you have is made with a certain version of Borland Delphi since to-day various av will flag this as Win32:Induc infected.
A program that I lost to this file infector is Event Log Exlorer [As Protect)- read an analysis of the malcode here:
http://www.viruslist.com/en/weblog?weblogid=208187826
and here: http://www.f-secure.com/weblog/archives/00001752.html
Also about the infection: http://forum.avast.com/index.php?topic=47738.0
or here: http://www.sophos.com/blogs/gc/g/2009/0 ... re-houses/
A number of 3000 programs have to be updated and signed anew. In addition, and quite ironically, we have seen a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A aka Win32: Induc.
Also MS flags it now since two days:n a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.
The applications were being distributed with the virus code already embedded, due to an unusual trick employed by the malware author or authors.
The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed. Any programs which are subsequently compiled using the compromised compiler contain the virus code. Although no payload is dropped or malicious action taken other than self-reproduction, the spreading of this virus to installer packages proves that this extremely unusual infection vector is, in fact, valid and relevant today, raising concerns that it will eventually be used to nefarious purposes. We'll keep you informed
luntrus aka polonus
