W32/Induc-C

Category: Viruses and Spyware Protection available since:16 Sep 2011 10:28:45 (GMT)
Type: Win32 executable file virus Last Updated:16 Sep 2011 10:28:45 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Induc-C is a virus infecting executable files and core source units of the Delphi compiler.

W32/Induc-C includes functionality to spread via removable drives.

Please note that the infection of Delphi installations means that infected software developers will be producing software infected at compile time. Therefore, as with Mal/Induc-A and W32/Induc-A, there may be detections of W32/Induc-C and Mal/Induc-D on software published by legitimate software houses. These are not false positives. Customers with infected software should contact the software vendor to inform them of the infection and ask the vendor to clean up their Delphi installation and compile new, clean versions of the software.

For further information please see descriptions for Mal/Induc-A, W32/Induc-A and the following blog articles:

  • http://nakedsecurity.sophos.com/2009/08/21/guest-blog-induc-infections/
  • http://nakedsecurity.sophos.com/2009/08/20/sophos-false-alarming-delphi-induc-virus/
  • http://nakedsecurity.sophos.com/2009/08/19/w32induca-infection-people/

W32/Induc-C differs from earlier Induc variants by targetting the system.pas and sysinit.pas source code, and the corresponding system.dcu and sysinit.dcu units. SophosLabs are very keen to recieve samples of infected versions of these units from infected Delphi software developers.

SophosLabs are also very keen to receive more samples of W32/Induc-C and Mal/Induc-D. Please submit samples of all files detected as W32/Induc-C and Mal/Induc-D to Sophos.

 

Examples of W32/Induc-C include:

Example 1

File Information

Size
38K
SHA-1
036446273db6c17ac7f5f3f947a6e62a63386671
MD5
44f3bfb43d3586a1f8f7891c597f95c3
CRC-32
17f54dfe
File type
application/x-ms-dos-executable
First seen
2011-09-13

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\APMV\APMV.exe
Dropped Files
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\APMV.lnk
  • c:\Documents and Settings\test user\Application Data\APMV\RCX3.tmp
  • c:\Documents and Settings\test user\Application Data\APMV\RCX2.tmp

Example 2

File Information

Size
38K
SHA-1
0688856c9013291276c08130a4dc11b873550ae7
MD5
4a33c444c9415dc64f2d4a00913a5e19
CRC-32
87ea9051
File type
application/x-ms-dos-executable
First seen
2011-09-13

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\APMV\APMV.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\APMV\RCX3.tmp
    Size
    38K
    SHA-1
    0d15c52ec4918fd2ca0552719cd6fde5ccc851e2
    MD5
    127db5cd46370ad4419f0bb28e9daf8c
    CRC-32
    33020153
    File type
    application/x-ms-dos-executable
    First seen
    2011-09-13
  • c:\Documents and Settings\test user\Application Data\APMV\RCX2.tmp
    Size
    38K
    SHA-1
    ca9a6d59dfedd4879c74826d53e07c9489e636e1
    MD5
    0f64d2570745eacc2564bba0dc67ab4a
    CRC-32
    ec72136a
    File type
    application/x-ms-dos-executable
    First seen
    2011-09-13
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\APMV.lnk
    Size
    842
    SHA-1
    4ba64e159fe51a8e53ca9eff22e211de014c86da
    MD5
    d1e4f1d26a652e9fb82c7bc1960773a9
    CRC-32
    7c5f360b
    File type
    application/octet-stream
    First seen
    2011-09-13
  • c:\Documents and Settings\test user\Application Data\APMV\RCX4.tmp

Example 3

File Information

Size
29K
SHA-1
0b6dcf26797e38785e7f4af3590c0d18c250b74b
MD5
4d557ef2a4dc78ef8877eacc945f63d9
CRC-32
9d622976
File type
application/x-ms-dos-executable
First seen
2011-09-13

Other vendor detection

Kaspersky
Virus.Win32.Induc.lg

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\APMV\APMV.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\APMV\RCX3.tmp
    Size
    29K
    SHA-1
    f771a3edd8be2cd646662612a6dac2871d4ccbf9
    MD5
    b3226322edd923f7c0e42cd86bedd14f
    CRC-32
    c3ff411c
    File type
    application/x-ms-dos-executable
    First seen
    2011-09-14
  • c:\Documents and Settings\test user\Application Data\APMV\RCX2.tmp
    Size
    29K
    SHA-1
    422e2290cfae908a5919e78742bf44adf3866399
    MD5
    2690b2ff1d1093b91084d4ba726270d0
    CRC-32
    b58aa669
    File type
    application/x-ms-dos-executable
    First seen
    2011-09-14
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\APMV.lnk
    Size
    842
    SHA-1
    52ba80a1f526260454cb84451e239206d68db46d
    MD5
    948dc65c096d7bb360684346e8a3de4c
    CRC-32
    72970847
    File type
    application/octet-stream
    First seen
    2011-09-14

download Try Sophos products for free
Download now