1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Virus:W32/Induc.A

Virus:W32/Induc.A

Name : Virus:W32/Induc.A
Detection Names : Virus.Win32.Induc.a
Category:Malware
Type:Virus
Platform:W32

Summary

A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.

Additional Details

Virus:W32/Induc.A is a malware that targets Delphi program in the system. It displaces Delphi's original installation folder with %Delphi_Installation_Folder%\Lib\SysConst.pas, and adds malicious code here. Whenever a Delphi program is compiled, the malware's code will be executed to ensure that Delphi remains infected.


Installation process/actions
  •  The malware searches for Delphi installation folder by checking for registry HKLM\Software\Borland\Delphi.
  • Once found, it copies %Delphi_Installation_Folder%\Source Rtl\Sys\SysConst.pas to %Delphi_Installation_Folder%\Lib\SysConst.pas. 
  • It then adds malicious codes to %Delphi_Installation_Folder%\Lib\SysConst.pas, and one of the Delphi library file lib\SysConst.dcu will be renamed to lib\SysConst.bak.
  • The malware compiles the infected SysConst.pas to make a new SysConst.dcu. Therefore, from this point on, the Virus:W32/Induc.A code will be inserted whenever a Delphi program is compiled using the new SysConst.dcu.
  • Once done, the malware deletes %Delphi_Installation_Folder%\Lib\SysConst.pas.

Notes
  •  The malware does not do anything else if no Delphi is installed in the infected system.
  • The malware has no other threats except self replicating