Donnerstag, 20. August 2009

DELPHI-IDE and the Virus INDUC.A... !!!

Some days ago I read in a german-page an information about infected Delphi 4.0-7.0 IDE ...
Well, I work with Delphi 2007-2009 and only from my legal version, no hack or anything else, I have a good (I hope..) virus-scanner. And in the hot summer this information is for the press a thing that they can publish ..

But today I realize that this can be a real problem... in one of our department is an application active (from a card-machine vendor) that is written in Delphi. Every virus-alert I receive from the virus-server over email and this is the mail from this night (after update the pattern from TrendMicro and) while the backup runs and copy the folder to the ultrium-drive:

Well, the application is definitly with the virus infected and the vendor of the application have admited: yes, they have an infected Delphi active ...

result: be carefull with other applications in your network.... and update the virus-pattern...


Gesendet: Donnerstag, 20. August 2009 22:23
An:
Betreff: Viren/Malware entdeckt

Virus/Malware: PE_INDUC.A
Computer: WALLY
Domäne: Domlla
Datei: D:\app_folder...\Data$$$$$$$Service.exe
Datum/Zeitpunkt: 20.08.2009 22:22:29
Ergebnis: Es wurde ein Virus entdeckt. Quarantäne nicht möglich.
---------------------------------------------------
Virus/Malware: PE_INDUC.A
Computer: WALLY
Domäne: Domlla
Datei: D:\$$$$$\Classic.dll
Datum/Zeitpunkt: 20.08.2009 22:22:30
Ergebnis: Quarantäne
---------------------------------------------------
Virus/Malware: PE_INDUC.A
Computer: WALLY
Domäne: Domlla
Datei: D:\$$$$$$\G$$$$$.dll
Datum/Zeitpunkt: 20.08.2009 22:22:35
Ergebnis: Quarantäne
---------------------------------------------------
Virus/Malware: PE_INDUC.A
Computer: WALLY
Domäne: Domlla
Datei: D:\$$$$$$\$$$$$$ctor.exe
Datum/Zeitpunkt: 20.08.2009 22:22:40
Ergebnis: Quarantäne
---------------------------------------------------
Virus/Malware: PE_INDUC.A
Computer: WALLY
Domäne: Domlla
Datei: D:\$$$$$\paycon.dll
Datum/Zeitpunkt: 20.08.2009 22:22:40
Ergebnis: Quarantäne

Kommentare:

thomas pfister hat gesagt…

I've received some email from delphi-developers who find my blog-post about the TrendMicro-Virusname and Delphi and asked for a solution;
look for a file called sysconst.bak and rename the .dcu-file to ".bad" and copy the bak into dcu-file, perhaps this helps...

Anonym hat gesagt…

Leave the sysconst.bak file as is and relace the sysconst.dcu with a copy of the sysconst.bak file.
If the same virus see in the future you have sysconst.bak it will not infect you again.

Anonym hat gesagt…

Leave the sysconst.bak file as is and relace the sysconst.dcu with a copy of the sysconst.bak file.
If the same virus see in the future you have sysconst.bak it will not infect you again.

GSA hat gesagt…

The tool from http://www.gsa-online.de/eng/delphi_induc_cleaner.html could remove the virus Win32/Induc.A virus from the executables and leave it runnable.
In case you have only the executable and no source to recompile it.