Win32/Induc [Threat Name] go to Threat
Win32/Induc.C [Threat Variant Name]
| Category | virus |
| Size | 52736 B |
| Detection created | Aug 16, 2011 |
| Detection database version | 6383 |
| Aliases | Virus.Win32.Induc.lg (Kaspersky) |
| Win32.Induc.2 (Dr.Web) |
Short description
Win32/Induc.C is a virus which infects Delphi files at compile-time.
Installation
When executed, the virus copies itself into the following location:
- %appdata%\APMV\APMV.exe
The virus creates the following file:
- %startup\%APMV.lnk
The file is a shortcut to a malicious file.
This causes the virus to be executed on every system start.
The virus may create copies of itself using the following filenames:
- %temp%\%variable%
A string with variable content is used instead of %variable% .
The virus creates the following files:
- %malwarefilename%.id
- %malwarefilename%.dat
- %malwarefilename%.flag
File infection
Win32/Induc.C is a virus which infects Delphi files at compile-time.
The virus modifies the following file:
- %delphipath%\rtl\sys\SysInit.pas
The following file is dropped in the same folder:
- Defines.inc
The virus writes its own source code into the files.
The virus executes the following command:
- %delphipath%\bin\dcc32.exe –Q “%delphipath%\rtl\sys\System.pas” –M –Y –Z -$D- -0
The resulting file "%delphipath%\rtl\sys\System.dcu" contains the original source code along with the source code of the infiltration.
The virus creates copies of the following files (source, destination):
- %delphipath%\rtl\sys\System.dcu, %delphipath%\Lib\System.dcu
The virus replaces the content of the "%delphipath%\rtl\sys\SysInit.pas" file with its original data (just before it was modified).
The following files are deleted:
- %delphipath%\rtl\sys\SysInit.dcu
- %delphipath%\rtl\sys\System.dcu
A compiled program written in the Delphi programming language will also contain the program code of the infiltration.
Executable file infection
The virus searches local drives for files with the following file extensions:
- .exe
It avoids drives which contain any of the following folders:
- %drive%\System Volume Information\
The virus infects the files by inserting its code at the beginning of the original program.
The size of the inserted code is 52736 B .
When an infected file is executed, the original program is being dropped into a temporary file and run.
The name of the temporary file is:
- %currentfolder%\~.exe
The virus creates the following file:
- %currentfolder%\~.lnk
The file is a shortcut to a malicious file.
The virus executes the following command:
- %currentfolder%\~.lnk
Other information
The virus acquires data and commands from a remote computer or the Internet.
The virus contains a list of (3) URLs.
The virus can download and execute a file from the Internet.
The file is stored in the following location:
- %temp%\%variable%
A string with variable content is used instead of %variable% .
The HTTP protocol is used.