Threat Description

Virus:​W32/Induc.A

Details

Aliases: Win32.induc.a, Win32.induc, Induc, Virus.Win32.Induc
Category: Malware
Type: Virus
Platform: W32

Summary



A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Virus:W32/Induc.A is a malware that targets Delphi program in the system. It displaces Delphi's original installation folder with %Delphi_Installation_Folder%\Lib\SysConst.pas, and adds malicious code here. Whenever a Delphi program is compiled, the malware's code will be executed to ensure that Delphi remains infected.

Installation process/actions

  • The malware searches for Delphi installation folder by checking for registry HKLM\Software\Borland\Delphi.
  • Once found, it copies %Delphi_Installation_Folder%\Source Rtl\Sys\SysConst.pas to %Delphi_Installation_Folder%\Lib\SysConst.pas.Â
  • It then adds malicious codes to %Delphi_Installation_Folder%\Lib\SysConst.pas, and one of the Delphi library file lib\SysConst.dcu will be renamed to lib\SysConst.bak.
  • The malware compiles the infected SysConst.pas to make a new SysConst.dcu. Therefore, from this point on, the Virus:W32/Induc.A code will be inserted whenever a Delphi program is compiled using the newÂSysConst.dcu.
  • Once done, the malware deletes %Delphi_Installation_Folder%\Lib\SysConst.pas.

Notes

  • The malware does not do anything else if no Delphi is installed in the infected system.
  • The malware has no other threats except self replicating





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More