SOURCE: BitDefender


August 19, 2009 14:10 ET

BitDefender Finds Win32.Induc.A Puts Delphi Compilers at Risk and Compromises Legitimate Applications

BUCHAREST, ROMANIA--(Marketwire - August 19, 2009) - BitDefender®, an award-winning provider of innovative anti-malware security solutions, today announced the discovery of a threat that directly affects many applications, including TabBrowser v1.0, GreenOpen, WebMoney Keeper Classic v3.7.0.0, Tidy Favorites v4.1 and any TV Free v2.41. The applications were being distributed with the virus code already embedded, due to an unusual trick employed by the malware author or authors.

The virus, called Win32.Induc.A, spreads by infecting systems that have the Delphi compiler (versions up to 7.0) installed. Any programs which are subsequently compiled using the compromised compiler contain the virus code. Although no payload is dropped or malicious action taken other than self-reproduction, the spreading of this virus to installer packages proves that this extremely unusual infection vector is, in fact, valid and relevant today, raising concerns that it will eventually be used to nefarious purposes.

When executed, the virus searches for valid Delphi compiler versions and, if found, creates a SysConst.pas file inside the compilers \Lib folder. It writes its code inside it, then renames the SysConst.dcu into SysConst.bak. The .pas file will be compiled then deleted. The resulting SysConst.dcu is used by the compiler in every compilation act, which automatically creates infected executables by including the malicious code from inside the SysConst.dcu.

An interesting aspect about the epidemic is that not only legitimate applications have been infected. BitDefender antivirus researchers found that several members of the Trojan.Banker malware "family" have been compromised by Win32.Induc.A.

Detected by BitDefender as Trojan.Downloader.JMGZ, Trojan.Spy.Banker.ABWA - ABWC, Trojan.Spy.Banker.ABWK - ABWQ and so on, these trojans target local banks, namely Caixa -- Spain's biggest savings bank and Bradesco -- a notable bank in Brazil.

Delphi developers are advised to check if their compilers' \Lib folder contains a SysConst.bak file (the most obvious sign of infection) and to rename it to SysConst.pas if it exists, overwriting the compromised file, then recompile their applications.

About BitDefender®

BitDefender is the creator of one of the industry's fastest and most effective lines of internationally certified security software. Since its inception in 2001, BitDefender has continued to raise the bar and set new standards in proactive threat prevention. Every day, BitDefender protects tens of millions of home and corporate users across the globe -- giving them the peace of mind of knowing that their digital experiences will be secure. BitDefender solutions are distributed by a global network of value-added distribution and reseller partners in more than 100 countries worldwide. More information about BitDefender and its products are available at the company's security solutions press room. Additionally, BitDefender's provides background and the latest updates on security threats helping users stay informed in the everyday battle against malware.