Our good friends at Kaspersky labs have done an interesting analysis piece on Induc – the malware that infects Delphi system files then passes itself along in anything created by the infected compiler.
When Induc was first discovered around the middle of August, Denis Nazarov at Kaspersky did a blog piece on it. Then several weeks later the Kaspersky folks wrote a longer analysis and concluded that Induc had some new features. They also concluded that it might have been around for many months before it was detected – possibly as far back as November 2008. And, there could be millions of copies of it around. Fortunately, it has no malicious payload.
“. . .as far as we know, no-one’s tried to directly infect the service files of a compiler before. This approach is so unusual that it doesn’t fit anywhere in our current classification system. Induc isn’t a virus in the strict sense of the word, because it’s doesn’t directly infect files. It modifies a single system file rather than every file which it finds. Induc can’t be called a worm, and it can’t be called a Trojan either, even though it does possess certain hallmarks of such types of malware. So Induc really is something new.”
Since Induc was included in programs when they were compiled, whitelisting companies have some big problems on their hands trying to sort them out.
The folks at Kaspersky also noticed something else interesting: banking Trojans, probably from Brazil, containing Induc. That means malware writers in Brazil have infected compilers. Delphi is popular in that country.
See Kaspersky analysis here.
Vipre detects Induc as Virus.Win32.Induc.a (v)