The updated file-infector features botnet capabilities and is extremely viral
SYDNEY & AUCKLAND – September 19, 2011 – BitDefender, an award winning provider of innovative internet security solutions, has identified a bigger, more vicious version of the old compile-a-virus piece of malware, called Win32.Induc.A. Bitdefender is warning consumers of this piece of malware as it infects any executable files it finds and spreads botnet malware.
The initial variant of this file infector was relatively harmless, except that it would add its viral code to any applications users compile. The overhauled variant Bitdefender has identified, packs a bigger punch and is truly malicious. While the previous version (Win32.Induc.A) only targeted Delphi compilers from version 4 through 7, the new variant (identified as Win32.Induc.P) is able to successfully infect both the Delphi compiler and newer products from Embarcadero (RAD Studio 2005 through RAD Studio XE).
While the malicious code would only infect applications created with the infected compiler, the new Win32.Induc.P is able to infect any executable file it finds on the PC. The virus also manifests worm behaviour, as it is able to ‘jump’ from one computer to another via removable storage media such as pen-drives, USB disks or memory cards.
Whenever an infected application is run, the virus has a downloader part that tries to connect to some encrypted URLs hardcoded into it. It then starts downloading the specified piece of malware and installs it on the already-compromised computer. The samples analysed by Bitdefender were installing both a keylogger and a backdoor application that allows a remote attacker to take control over the machine.
Why is this piece of malware particularly important?
One of the worst things about viruses is the fact that they actually infect files. On moment you can have a perfectly clean system, and the next second, you run a file and find most of the executable files compromised.
Based on previous experience with the first two variants of the Induc virus, we expect to see the P variant pop on software download portals, as unwary Delphi/RAD Studio developers whose compilers have been infected update their applications. This is also one of the situations where legit software, delivered via legit distribution channels, might infect user’s computer. Bitdefender advises that users systematically scan all the downloaded files with an updated antivirus.
If consumers have already been infected, don’t fear. Bitdefender can provide a free removal tool that can clean infected executable files with zero data loss. The tool can be downloaded from the Removal Tools section of Malware City:
Download the 32-bit version of the tool here
Download the 64-bit version of the tool here
The removal tool is available courtesy of Bitdefender malware researchers; Doina Cosovan and Mihail Andronic.