A new virus that infects Borland Delphi compiler have been discovered about a week ago - Induc Virus. Luckily, while crawling the internet looking for malware, we have found a copy of it, only 2 days after it has been discovered.
The source IP address of the URI came from China. The program itself is also in Chinese. We performed a quick behaviour and static analysis using Norman Sandbox and Virus Total respectfully. Below are the results.
Norman Sandbox:
[ DetectionInfo ]
* * Filename: C:\analyzer\scan\MBK6VB46Y23LCECBFVG5I7NVTRVFL4VD.exe.
* * Sandbox name: NO_MALWARE
* * Signature name: W32/Induc.A.
* * Compressed: NO.
* * TLS hooks: YES.
* * Executable type: Application.
* * Executable file structure: OK.
* * Filetype: PE_I386.
[ General information ]
* * File length: 2994024 bytes.
* * MD5 hash: b71e6595a7f53477dfee47b37a9f97f6.
* * Packer detection: BobSoft Mini Delphi.
[ Changes to registry ]
* * Accesses Registry key "HKLM\Software\Borland\Delphi\4.0".
* * Accesses Registry key "HKLM\Software\Borland\Delphi\5.0".
* * Accesses Registry key "HKLM\Software\Borland\Delphi\6.0".
* * Accesses Registry key "HKLM\Software\Borland\Delphi\7.0".
* * Accesses Registry key "HKCU\Software\Borland\Locales".
* * Accesses Registry key "HKLM\Software\Borland\Locales".
* * Accesses Registry key "HKCU\Software\Borland\Delphi\Locales".
[ Process/window information ]
* * Creates an event called .
* * Creates a window with name "sample".
* * Attempts to open CLSID {8856F961-340A-11D0-A96B-00C04FD705A2}.
Virus Total:
File MBK6VB46Y23LCECBFVG5I7NVTRVFL4VD. received on 2009.08.23 01:19:22 (UTC)
Current status: finished
Result: 24/41 (58.54%)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.22 -
AhnLab-V3 5.0.0.2 2009.08.21 -
AntiVir 7.9.1.3 2009.08.21 W32/Induc.A
Antiy-AVL 2.0.3.7 2009.08.21 -
Authentium 5.1.2.4 2009.08.22 -
Avast 4.8.1335.0 2009.08.22 Win32:Induc
AVG 8.5.0.406 2009.08.22 Win32/Induc
BitDefender 7.2 2009.08.23 Win32.Induc.A
CAT-QuickHeal 10.00 2009.08.22 W32.Induc.A
ClamAV 0.94.1 2009.08.22 Virus.Induc
Comodo 2013 2009.08.23 -
DrWeb 5.0.0.12182 2009.08.23 Win32.Induc
eSafe 7.0.17.0 2009.08.20 -
eTrust-Vet 31.6.6694 2009.08.21 Win32/Induc.A
F-Prot 4.4.4.56 2009.08.22 -
F-Secure 8.0.14470.0 2009.08.23 Virus.Win32.Induc.a
Fortinet 3.120.0.0 2009.08.22 W32/Induc.A
GData 19 2009.08.23 Win32.Induc.A
Ikarus T3.1.1.68.0 2009.08.22 -
Jiangmin 11.0.800 2009.08.21 -
K7AntiVirus 7.10.825 2009.08.22 -
Kaspersky 7.0.0.125 2009.08.23 Virus.Win32.Induc.a
McAfee 5717 2009.08.22 W32/Induc
McAfee+Artemis 5717 2009.08.22 W32/Induc
McAfee-GW-Edition 6.8.5 2009.08.22 Win32.Induc.A
Microsoft 1.4903 2009.08.22 Virus:Win32/Induc.A
NOD32 4359 2009.08.22 a variant of Win32/Induc.A
Norman 2009.08.21 W32/Induc.A
nProtect 2009.1.8.0 2009.08.22 Virus/W32.Induc
Panda 10.0.0.14 2009.08.22 -
PCTools 4.4.2.0 2009.08.22 -
Prevx 3.0 2009.08.23 -
Rising 21.43.50.00 2009.08.22 -
Sophos 4.44.0 2009.08.22 W32/Induc-A
Sunbelt 3.2.1858.2 2009.08.22 Virus.Win32.Induc.a (v)
Symantec 1.4.4.12 2009.08.23 W32.Induc.A
TheHacker 6.3.4.3.386 2009.08.22 -
TrendMicro 8.950.0.1094 2009.08.22 PE_INDUC.A
VBA32 3.12.10.9 2009.08.23 Virus.Win32.Induc.b
ViRobot 2009.8.22.1897 2009.08.22 -
VirusBuster 4.6.5.0 2009.08.22 -
File size: 2994024 bytes
MD5 = b71e6595a7f53477dfee47b37a9f97f6
SHA1 = 8a7e227c269a9ec9c47a79059e64340dc673a077
SHA256 = a5137b6bebc99e1a5f3ad83d471a2d9882dd13133768142a6438b569a3360726
Interesting to note, that after 2 days of virus being exposed to the public, only 58% of Anti-viruses are capable of identifying it.
Conclusion:
After static, behavior and manual analysis of the virus, it was concluded that:
* Virus does not do any harm, except for replicating itself by infecting Borland Delphi compiler, in particular by infecting SysConst.dcu and saving its old version to SysConst.bak
* Borland Delphi versions 4, 5, 6 and 7 are vulnerable
* A copy of the virus will be added to every program compiled on the infected machine
* All programs infected with the virus will be identified as malicious by the AVs
* Limited information is known about the origin of the virus
* Only 58% of AVs are cable of identifying the virus at this moment
* To remove the virus, in most cases it is enough to restore SysConst.bak into SysConst.dcu filename
