Win32/Induc [Threat Name] go to Threat

Win32/Induc.C [Threat Variant Name]

Category virus
Size 52736 B
Detection created Aug 16, 2011
Signature database version 6383
Aliases Virus.Win32.Induc.lg (Kaspersky)
  Win32.Induc.2 (Dr.Web)
Short description

Win32/Induc.C is a virus which infects Delphi files at compile-time.

Installation

When executed, the virus copies itself into the following location:

  • %appdata%\­APMV\­APMV.exe

The virus creates the following file:

  • %startup\­%APMV.lnk

The file is a shortcut to a malicious file.

This causes the virus to be executed on every system start.


The virus may create copies of itself using the following filenames:

  • %temp%\­%variable%

A string with variable content is used instead of %variable% .


The virus creates the following files:

  • %malwarefilename%.id
  • %malwarefilename%.dat
  • %malwarefilename%.flag
File infection

Win32/Induc.C is a virus which infects Delphi files at compile-time.


The virus modifies the following file:

  • %delphipath%\­rtl\­sys\­SysInit.pas

The following file is dropped in the same folder:

  • Defines.inc

The virus writes its own source code into the files.


The virus executes the following command:

  • %delphipath%\­bin\­dcc32.exe –Q “%delphipath%\­rtl\­sys\­System.pas” –M –Y –Z -$D- -0

The resulting file "%delphipath%\rtl\sys\System.dcu" contains the original source code along with the source code of the infiltration.


The virus creates copies of the following files (source, destination):

  • %delphipath%\­rtl\­sys\­System.dcu, %delphipath%\­Lib\­System.dcu

The virus replaces the content of the "%delphipath%\rtl\sys\SysInit.pas" file with its original data (just before it was modified).


The following files are deleted:

  • %delphipath%\­rtl\­sys\­SysInit.dcu
  • %delphipath%\­rtl\­sys\­System.dcu

A compiled program written in the Delphi programming language will also contain the program code of the infiltration.

Executable file infection

The virus searches local drives for files with the following file extensions:

  • .exe

It avoids drives which contain any of the following folders:

  • %drive%\­System Volume Information\­

The virus infects the files by inserting its code at the beginning of the original program.


The size of the inserted code is 52736 B .


When an infected file is executed, the original program is being dropped into a temporary file and run.


The name of the temporary file is:

  • %currentfolder%\­~.exe

The virus creates the following file:

  • %currentfolder%\­~.lnk

The file is a shortcut to a malicious file.


The virus executes the following command:

  • %currentfolder%\­~.lnk
Other information

The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of (3) URLs.


The virus can download and execute a file from the Internet.


The file is stored in the following location:

  • %temp%\­%variable%

A string with variable content is used instead of %variable% .


The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.