New, More Dangerous Variant of Induc Set to Spread Aggressively

A bigger, more vicious version of the old compile-a-virus piece of malware called Win32.Induc.A has hit the wild. This piece of malware, perhaps the most innovative to come out so far this year, is ready to infect any executable files it finds and comes with botnet malware.

While the initial variant of this file infector was relatively harmless, except that it would add its viral code to any applications you compile, the overhauled variant we identified in the wild packs a bigger punch and is truly malicious. While the previous version (Win32.Induc.A) only targeted Delphi compilers from version 4 through 7, the new variant (identified as Win32.Induc.P) is able to successfully infect both the Delphi compiler and newer products from Embarcadero (RAD Studio 2005 through RAD Studio XE).

More than that, while the malicious code would only infect applications created with the infected compiler, the new Win32.Induc.P is able to infect any executable file it finds on the PC. The virus also manifests worm behavior, as it is able to “jump” from one computer to another via removable storage media such as pen-drives, USB disks or memory cards.

Whenever an infected application is run, the virus has a downloader part that tries to connect to some encrypted URLs hardcoded into it. It then starts downloading the specified piece of malware and installs it on the already-compromised computer. The samples analyzed by Bitdefender were installing both a keylogger and a backdoor application that allows a remote attacker to take control over the machine.

Why is this piece of malware particularly important?

One of the worst things about viruses is the fact that they actually infect files. You can have a perfectly clean system and, next second after you ran a file, you may find most of the executable files compromised.

Based on our previous experience with the first two variants of the Induc virus, we expect to see the P variant pop on software download portals, as unwary Delphi/RAD Studio developers whose compilers have been infected update their applications. This is also one of the situations where legit software, delivered via legit distribution channels, might infect your computer. We advise, more than ever, that you systematically scan all the downloaded files with an updated antivirus.

If you have already been infected, fear not. We provide a free removal tool that can clean infected executable files with zero data loss. The tool can be downloaded from the Removal Tools section of Malware City:

Download the 32-bit version of the tool here

Download the 64-bit version of the tool here

The removal tool is available courtesy of Bitdefender malware researchers Doina Cosovan and Mihail Andronic.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.