BitDefender weekly review – Is the Delphi virus harmfull?

Win32.Induc.A

The virus spreads by infecting Delphi development environments (versions 4 through 7). When an infected executable is run, the virus checks the registry for specific Delphi entries and if found, it exacts the version and installation path of the compiler, if the version is supported.

Next it will copy %delphi_install_path%\Source\Rtl\Sys\SysConst.pas to %delphi_install_path%\Lib\SysConst.pas and adds its malicious code to the implementation section of it. The file is compiled which results in an infected SysConst.dcu (Delphi compiled unit). The original SysConst.dcu is copied into SysConst.bak beforehand. The source file (Sysconst.pas) is deleted after compilation.

As SysConst.dcu is included in every compiled file, all of the resulting executables will contain the virus code.

Win32.Induc.A takes no action if the computer doesn't contain any Delphi installation.

Trojan.FakeAv.QF

Another rogue security product plagues users this week. Intuitively called Total Security (a play on BitDefender's Total Security products line) the fake antivirus tries to trick users into installing it.

When first run, the malware copies itself to c:\Documents and Settings\All Users\Application Data\[Rnd8]\[Rnd8].exe and executes a batch script to delete the original file.

It makes changes to the registry to ensure it is being executed at every system startup.

Then it start a fake scan of the system, presenting the same hard-coded "infections" to the user regardless of the computers' state.

In order to "clean" the system, the user is forced to pay for the software. The e-threat is randomly closing processes and marks them as infected.

Information in this article is available courtesy of BitDefender virus researchers: Dana Stanut and Horea Coroiu