spreads by infecting Delphi development environments (versions 4 through 7).
When an infected executable is run, the virus checks the registry for specific
Delphi entries and if found, it exacts the version and installation path of the
compiler, if the version is supported.
will copy %delphi_install_path%SourceRtlSysSysConst.pas to %delphi_install_path%LibSysConst.pas
and adds its malicious code to the implementation section of it. The file is
compiled which results in an infected SysConst.dcu (Delphi compiled unit). The
original SysConst.dcu is copied into SysConst.bak beforehand. The source file (Sysconst.pas)
is deleted after compilation.
As SysConst.dcu is included in every compiled file, all of
the resulting executables will contain the virus code.
Win32.Induc.A takes no action if the computer doesn’t
contain any Delphi installation.
rogue security product plagues users this week. Intuitively called Total
Security (a play on BitDefender’s Total Security products line) the fake
antivirus tries to trick users into installing it.
run, the malware copies itself to c:Documents and SettingsAll
UsersApplication Data[Rnd8][Rnd8].exe and executes a batch script to delete
the original file.
changes to the registry to ensure it is being executed at every system startup.
start a fake scan of the system, presenting the same hard-coded “infections” to
the user regardless of the computers’ state.
In order to
“clean” the system, the user is forced to pay for the software. The e-threat is
randomly closing processes and marks them as infected.
in this article is available courtesy of BitDefender virus researchers: Dana
Stanut and Horea Coroiu