high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 18 August 2009 15:14:59 (GMT) |
| Last updated | 21 August 2009 10:40:19 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing infected executable files.
If you are a client who has received an application infected with W32/Induc-A, please contact the supplier of the software. Inform them of the infection, and please ask them to contact either Sophos or the technical support of their anti-virus supplier as appropriate. When they have cleaned up their Delphi installation, they should then be able to supply you with clean versions of their software.
If you are a Delphi developer, or if you have Delphi installed and have possibly executed an infected application, then as well as cleaning up infected executables, you will also need to clean your Delphi installations. By default, Sophos products do not scan .dcu and .pas extensions, so you will need to turn on the option to scan all file extensions and do a full system scan. SAV will then detect infected SysConst.dcu files. Replace these with clean backups. If the virus has copied the original SysConst.dcu to SysConst.bak then copy SysConst.bak to SysConst.dcu. Leaving a copy of Sysconst.bak should prevent reinfection.
When you have cleaned Delphi, recompile clean versions of your software to redistribute to your customers and to replace the infected executables.
More Information
W32/Induc-A is a virus that infects Delphi files at compile-time. As such, these files cannot be disinfected and need to be recompiled cleanly.
W32/Induc-A searches computers for installations of Delphi, then attempts to temporarily modify SysConst.pas, and compiles this to infect SysConst.dcu. The original SysConst.dcu can be restored from the backup made by the virus in SysConst.bak.
Infected SysConst.dcu files are detected as Mal/Induc-A, and infected SysConst.pas files as Mal/Induc-B. These behavioural genotype detections detect all infected versions that we are currently aware of. However, we would still like to see more samples of SysConst.dcu, SysConst.bak and SysConst.pas from any Delphi developers potentially affected by this virus, especially if you have customized versions of these units.
Further analysis of W32/Induc-A can be found in the following blog article: Compile-a-virus - W32/Induc-A
PLEASE NOTE: Because infected executables are produced at compile time by infected Delphi development environments, we are seeing many cases of infected files coming from genuine software vendors. These are not false positives. Clients and software developers seeking to understand why their software is deing detected as W32/Induc-A should see this blog artice.
|
