BitDefender weekly review

Win32.Induc.A

The virus
spreads by infecting Delphi development environments (versions 4 through 7).
When an infected executable is run, the virus checks the registry for specific
Delphi entries and if found, it exacts the version and installation path of the
compiler, if the version is supported.

Next it
will copy %delphi_install_path%SourceRtlSysSysConst.pas to %delphi_install_path%LibSysConst.pas
and adds its malicious code to the implementation section of it. The file is
compiled which results in an infected SysConst.dcu (Delphi compiled unit). The
original SysConst.dcu is copied into SysConst.bak beforehand. The source file (Sysconst.pas)
is deleted after compilation.

As SysConst.dcu is included in every compiled file, all of
the resulting executables will contain the virus code.

Win32.Induc.A takes no action if the computer doesn’t
contain any Delphi installation.

 

Trojan.FakeAv.QF

Another
rogue security product plagues users this week. Intuitively called Total
Security (a play on BitDefender’s Total Security products line) the fake
antivirus tries to trick users into installing it.

When first
run, the malware copies itself to c:Documents and SettingsAll
UsersApplication Data[Rnd8][Rnd8].exe and executes a batch script to delete
the original file.

It makes
changes to the registry to ensure it is being executed at every system startup.

Then it
start a fake scan of the system, presenting the same hard-coded “infections” to
the user regardless of the computers’ state.

In order to
“clean” the system, the user is forced to pay for the software. The e-threat is
randomly closing processes and marks them as infected.

 

Information
in this article is available courtesy of BitDefender virus researchers: Dana
Stanut and Horea Coroiu