http://www.giveawayoftheday.com/forums/topic/6009 Giveaway of the Day Forums » Topic: WIN32/inducA - with an APOLOGY by BINERUS ! en-US Sun, 12 Feb 2012 16:29:20 +0000 http://bbpress.org/?v=1.0.2 http://www.giveawayoftheday.com/forums/topic/6009/page/2#post-62940 Mon, 24 Aug 2009 22:51:42 +0000 Robert 62940@http://www.giveawayoftheday.com/forums/ <p>Thanks Eugene Kryukov.<br /> I honor you for coming to the forum!</p> <p>The main thing is those exes don't have a malicious payload and didn't infect our computer.<br /> And I don't suppose may of us have Delphi 4.0, 5.0, 6.0 or 7 installed.<br /> So simply deleting them exes will do.</p> <p>Btw I checked the new 3D Image Commander setup and it's clean.I hope maybe someday Binerus and GOTD will offer us this nifty program again! </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62907 Mon, 24 Aug 2009 12:59:03 +0000 notblocklox 62907@http://www.giveawayoftheday.com/forums/ <p>Hi and welcome to <strong>Eugene Kryukov,Binerus</strong> !<br /> Let me send a "<strong>Thank's</strong>" to you !<br /> Though this virus infection wasn't your mistake you come to us and apologise, not many developers found the way to our forums.<br /> Welcome back and I would be glad if you would give your programmes again to the GOTD project. <em>wink-wink</em><br /> Thank you!</p> <p>graylox </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62906 Mon, 24 Aug 2009 12:24:22 +0000 eugenekryukov 62906@http://www.giveawayoftheday.com/forums/ <p>Dear Sirs,</p> <p>I'm really sorry for the inconvenience.</p> <p>This virus is not dangerous.<br /> Please read more detail descriptions here -<br /> <a href="http://www.viruslist.com/en/weblog?weblogid=208187826" rel="nofollow">http://www.viruslist.com/en/weblog?weblogid=208187826</a><br /> <a href="http://www.delphipraxis.net/topic163041_virus+infects+delphi.html" rel="nofollow">http://www.delphipraxis.net/topic163041_virus+infects+delphi.html</a></p> <p>Please uninstall your current version and setup new one. </p> <p>All clean versions you can download from <a href="http://www.binerus.com" rel="nofollow">http://www.binerus.com</a></p> <p>Eugene Kryukov<br /> Binerus </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62819 Sun, 23 Aug 2009 07:16:38 +0000 caulbox 62819@http://www.giveawayoftheday.com/forums/ <p>Just to add a bit more reassurance for GOTD users. I've now scanned more than 2GB of older GOTD downloads which I'd burnt to DVD, and no other occurrences of the Win32.Induc.a virus were found.</p> <p>That said, I probably download more utilities than most, and I wouldn't be surprised if I encounter a few more occurrences of this virus later (in files downloaded from various sources on the net). I'll probably not bother to painstakingly scan all my DVDs, as I trust the "On-Access Scanning" behaviour in ZoneAlarm AntiVirus - and now that ZA has been made aware of this virus definition, as soon as I open a directory with an infected file ZA will immediately warn me.</p> <p>infotech - I don't have any experience with AVG (which may or may not be so reliable?), but I can tell you that scanning a partition with ZoneAlarm Antivirus will also find any copies of a virus which might have been 'backed up' in system restore points. I use (a lot) more partitions than most, but choose to monitor only my main system partition C: with system restore. That explains why no further presence of this virus was found (in system restore related files) after my earlier thorough scans of my system and program partitions - the original virus was located in my programs partition, not my system partition. Had I opted to enable system restore on my programs partition as well, then most likely (as with the OP here) ZoneAlarm AntiVirus would also have detected further copies of the virus in the system restore files for that partition. Hope that makes things a bit clearer? </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62775 Sat, 22 Aug 2009 23:47:58 +0000 watcher13 62775@http://www.giveawayoftheday.com/forums/ <p>Well, Flash, it's not that it was out of date, it's that it's brand new. You may have heard that many hackers are what are called "white" hackers. They develop these programs without a payload so they can get their jollies by just demonstrating the vulnerabilities. Though many wouldn't agree, they feel they're doing a good thing. (And they get to practice there favorite hobby at the same time.) I suspect that's what happened here. </p> <p>And, one of the principal reasons people turn to "white" hacking is that white hackers usually don't get prosecuted! And to be fair, sometimes these people point out security holes to the companies involved first, and the companies try to just bury it. Sometimes white hackers hack out of frustration. I hear this has happened to Microsoft more than once. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62770 Sat, 22 Aug 2009 23:17:45 +0000 FlashRiver 62770@http://www.giveawayoftheday.com/forums/ <p>Bravo to all who have commented on the W32/Induc-A virus issue. I have to give it to the developer of the virus. If it was a hackers test as “Watcher” suggest, it has passed with flying colors. It seems it very well may-haps been a timed activated little jewel indeed. It seems unlikely that of all the different types of antivirus programs we all are using that all of them had an out-of-date virus definition. I can however honestly say, I would gladly pay the makers of the virus twice what I would pay for either 3D Image Commander or Icon Commander after seeing its potential for mass confusion LOL<br /> thanks guys for your input...<br /> ~ Flash </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62759 Sat, 22 Aug 2009 20:52:21 +0000 watcher13 62759@http://www.giveawayoftheday.com/forums/ <p>Your welcome, infotech, actually a lot of good people posted useful stuff on this - which is not a criticism of you, I know you'll agree - I just didn't want to hog the limelight. </p> <p>Actually, I think Mr. Fishy makes a good point. It trips some people up on occasion. Another way to explain it is: if none of your previous automatic restore points were from before the time you got the infection - and there may be no way to insure when that was - then you might end up restoring some or all of the infection if you have to use a restore point to fix anything in the near future. So he's just saying to make sure you have a restore point from after you've done the cleaning. If your system hasn't already made an automatic one, go ahead and create a manual one. To me it's sound advice, and that way you have a good restore point if you need it. Actually, it's a good idea after most, if not all, repairs. And it really can't cause you any damage. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62737 Sat, 22 Aug 2009 15:19:13 +0000 infotech 62737@http://www.giveawayoftheday.com/forums/ <p>Watcher13 - I would like to thank you for your post. I greatly appreciated your response. I deleted/uninstalled 3D Icon Commander and 3 other applications that were infected running AVG. I then ran a full scan again and it came back without errors. I shut down the computer and have now running an AVG scan again.</p> <p>MrFishy - I haven't touched the restore points as I am not certain this is necessary. Perhaps Watcher13 or other experts could comment. Thank you anyway.</p> <p>Regards </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62681 Fri, 21 Aug 2009 20:37:03 +0000 pavid 62681@http://www.giveawayoftheday.com/forums/ <p>Thanks for the link caulbox. It is informative and helpful. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62679 Fri, 21 Aug 2009 20:01:49 +0000 caulbox 62679@http://www.giveawayoftheday.com/forums/ <p>The virus and an explanation for its non-detection is succinctly summed up in this avast! blog:<br /> <a href="http://blog.avast.com/2009/08/19/win32induc-new-concept-of-file-infector/" rel="nofollow">http://blog.avast.com/2009/08/19/win32induc-new-concept-of-file-infector/</a></p> <p>It could even prove fortunate that this (new?) malicious behaviour has opened the eyes of hitherto blind AV companies. Although the virus appears to be benign on this occasion.....</p> <p><em>"More of a worry is when the ‘developers’ of this virus take it to the next level and add a malicious ‘payload’ to the virus… "</em></p> <p>Let's hope any similar 'families' of dreads will be nipped in the bud in the future. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62676 Fri, 21 Aug 2009 19:20:34 +0000 watcher13 62676@http://www.giveawayoftheday.com/forums/ <p>Yeah, that's pretty much the way I understand it, pavid, and folks should note that sentence in the Kasperky article: "the infection of several versions of the popular instant messaging client QIP". I wonder how many around the world got the infection from that? In other words, it's still too early to identify the major culprits in spreading this infection. It's even still up in the air as to whether everyone who downloaded 3D Image Commander and Link Collecter actually got infected. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62674 Fri, 21 Aug 2009 19:09:57 +0000 pavid 62674@http://www.giveawayoftheday.com/forums/ <p>I agree with you Watcher. If it's anybody's fault, it's that of whomever was able to introduce the virus into Delphi. <strong><em>GOTD is not at fault for this problem.</em></strong> Additionally, nothing I've read suggests this "virus" actually does anything. I didn't use 3D Image Commander right after I installed it and I saw no warnings from my security package that it had attempted to phone home. Additionally this virus never spread beyond 3D Image Commander except for the EXPECTED inclusion in System Volume Information files.</p> <p>My take on it is that someone introduced the virus into Delphi just to see how far it would be distributed. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62670 Fri, 21 Aug 2009 18:36:00 +0000 watcher13 62670@http://www.giveawayoftheday.com/forums/ <p>I hope I'm being clear about this. It infected the softwares listed here because they were written in Delphi, and maybe only the CodeGear brand version. Nothing not written in that language can be infected by this. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62667 Fri, 21 Aug 2009 18:12:10 +0000 caulbox 62667@http://www.giveawayoftheday.com/forums/ <p>OK - I use a separate partition for storing the stuff I've downloaded (until burnt). I've just scanned my GOTD downloads with ZoneAlarm AntiVirus, and I can confirm that the Win32.Induc.a virus was indeed found in the GOTD "setup.exe" files for both "Icon Commander 1.10" and "3D Image Commander" (I didn't install 3D Image Commander on my system - but I still had an unzipped copy of the original GOTD archive). I didn't download "LinkCollector" so can't comment about that one. However the GOTD download folder which I've just scanned did include a total of 91 other recent GOTDs, and 'only' these two files were found to be infected. </p> <p>Virus.Win32.Induc.a was found in I:\Utils 14\! GOTD !\Utilities\3D Image Commander\Setup.exe on 21/08/2009 18:02:50<br /> Virus.Win32.Induc.a was found in I:\Utils 14\! GOTD !\Utilities\Icon Commander 1.10\Setup.exe on 21/08/2009 18:25:28</p> <p>Unlike before when I was successfully able to repair my installed Icon Commander executable (iconcommander.exe) it was not possible to disinfect the virus in the setup.exe files with ZA. I opted instead to instruct ZA to delete the infected files completely. I'll most likely get around to scanning my burnt GOTD DVDs (where I also keep archives) in the next day or two. I'll report back again here if any further infections are found in older archives. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62663 Fri, 21 Aug 2009 17:23:18 +0000 watcher13 62663@http://www.giveawayoftheday.com/forums/ <p>The best advice I can give you is: "Don't Panic". I can't advise you not to be cautious. You might want to bite the bullet and remove any infected software, but you're not under any current threat. This article from Kasperky's website is the best explanation I've seen, yet:</p> <p>"Kaspersky Lab, a leading developer of secure content management systems, reports detection of Virus.Win32.Induc.a, a virus that spreads via CodeGear Delphi, an integrated software development environment. Protection from the latest threat is already available in all Kaspersky Lab products. Virus.Win32.Induc.a takes advantage of the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables.</p> <p>The new virus activates when an infected application is launched. It then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the computer. If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu.</p> <p>Practically all Delphi projects include the string “use SysConst”, which means the infection of only one system module results in the infection of all applications under development. In other words, the modified SysConst.dcu file causes all subsequent programs created in the infected environment to contain the code of the new virus. The modified .pas file is no longer required and is deleted.</p> <p><strong>The virus is not currently a threat – there is no destructive behavior apart from infection.</strong> (emphasis added by me)</p> <p>It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cybercriminals to make it more destructive. Kaspersky Lab solutions successfully detect Virus.Win32.Induc.a and treat both compiled Delphi files and Windows executables."</p> <p>The best advice may be to report any infected program you find to the developer, who will go to work to insulate it from this vulnerability. In the case of the GOTDs, the developers may issue passes or you'll at least have a shot at a safer version if the giveaway is repeated. The CodeGear people - Embarcadero Technologies haven't said anything yet, but they could be working on a patch, so you might want to risk it and hold on to these programs. But you're in no immediate danger. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62662 Fri, 21 Aug 2009 17:03:25 +0000 MrFishy 62662@http://www.giveawayoftheday.com/forums/ <p>Infotech . . . I think you also need to dump old restore points and create a clean one, or the issue may be restored on your next re-boot? Probably want to run an additional full scan prior to setting new restore point.<br /> I'm no tech, so confirm this "thought". </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62660 Fri, 21 Aug 2009 16:50:56 +0000 judydog 62660@http://www.giveawayoftheday.com/forums/ <p>Hi,I also have 3d image commander downloaded from gaotd but I have scanned it to death with avira premium,mawarebytes,advanced system protector and iobit 360 all come back clean and all are fully updated with the latest defs. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62653 Fri, 21 Aug 2009 15:29:07 +0000 triphammer 62653@http://www.giveawayoftheday.com/forums/ <p>I have AVG and when I turned on my computer this morning it's showing WIN32/inducA as a virus present in 3d Image commander and Icon commander. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62649 Fri, 21 Aug 2009 14:41:19 +0000 infotech 62649@http://www.giveawayoftheday.com/forums/ <p>Hi - AVG has just reported the virus in Image Commander - it sent the virus to the vault and I have uninstalled it. I am not an expert on virus removal. Is there anything else I should be doing? Many thanks. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62637 Fri, 21 Aug 2009 10:27:37 +0000 caulbox 62637@http://www.giveawayoftheday.com/forums/ <p>Another ditto with Icon Commander, which does suggest that at least this one executable might have already been infected when downloaded from GOTD? Again, after a recent definition update, ZoneAlarm interrupted me a couple of days ago with the warning about the file. On this occasion I was able to (manually) repair the file successfully with ZA (usually I need to delete a virus). I hadn't used Icon Commander for a long time, and I immediately followed the disinfection with a thorough scan of my system and program partitions. Fortunately, no further infections were found, though I do use a Delphi program very frequently (Empty Temp Folders which uses Borland Delphi 4). </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62635 Fri, 21 Aug 2009 09:45:01 +0000 ramfisher65 62635@http://www.giveawayoftheday.com/forums/ <p>i also have this ,but I i have never downloaded fron GOTD, but I have game booster from IObit and keeps showing up. my next move? </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62627 Fri, 21 Aug 2009 06:35:55 +0000 judydog 62627@http://www.giveawayoftheday.com/forums/ <p>Hi,I have game booster and mine is showing up clean,I download a lot of programs from gaotd and the only one that had this virus? was Icon commander. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62618 Fri, 21 Aug 2009 03:02:06 +0000 Terri218 62618@http://www.giveawayoftheday.com/forums/ <p>I got it also and I never downloaded anything from GOTD but it said it was in Game Booster which I'm pretty sure I found from a recommendation here. I took Game Booster off my computer. Was I being too cautious? </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62617 Fri, 21 Aug 2009 02:21:37 +0000 watcher13 62617@http://www.giveawayoftheday.com/forums/ <p>Yeah, Robert, it's accepted by many that Avira has the most aggressive heuristics of the major AVs, although I still think it's worth the trouble.</p> <p>MORE IMPORTANTLY, it looks like WIN32/Induc is currently harmless. It looks like it was a hacker test just to prove it could be done, because no one has described this as doing any damage. Of course, they may try to do something with it later, but now the programming and AV and security communities are alerted and mobilized. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62601 Thu, 20 Aug 2009 22:30:32 +0000 Robert 62601@http://www.giveawayoftheday.com/forums/ <p>I agree watcher.The supposed infected files most probably were not infected when they were downloaded from GOTD.<br /> I 'd suggest getting a second opinion though and upload the quarantined files to <a href="http://www.virustotal.com" rel="nofollow">http://www.virustotal.com</a> (<strong>and </strong> to your antivirus company) for analysis to make sure.</p> <p>And some antivirus programs produce a lot of false positives if their definition files are updated incorrectly or their heuristics are too strict.<br /> I even dumped an antivirus in the past because even when submitting a 'clean' file for analysis, the company didn't bother to update their definitions files within a reasonable period. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62597 Thu, 20 Aug 2009 21:53:58 +0000 watcher13 62597@http://www.giveawayoftheday.com/forums/ <p>The problem, pavid, is whether the infection was in the files when you downloaded them or whether you picked it up from somewhere else - and it spread to anything on your computer written in Delphi. That's assuming, of course, these two are written in that language. No offense meant. Since this virus has just been identified, it may be a lot more prevalent than we know. I agree, however, that I hope GOTD sees this and retests those files. Maybe someone should send them an email on this, with a link to this thread. However, I don't even know if GOTD keeps these old programs on file or erases them after the giveaway. (?) </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62582 Thu, 20 Aug 2009 18:07:12 +0000 judydog 62582@http://www.giveawayoftheday.com/forums/ <p>Hi,this is strange because I have 3d image commander but avira says it is clean(fully updated) but I got the same warning for Icon commander. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62579 Thu, 20 Aug 2009 17:40:01 +0000 pavid 62579@http://www.giveawayoftheday.com/forums/ <p>I ran into the same problem when new virus definitions were installed on my computer on the 18th and a full system scan was performed. The vector on my machine was 3D Image Commander. My computer continues to run normally so I'm not going to panic although I feel that GOTD should address this quickly which I think everyone would appreciate. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62577 Thu, 20 Aug 2009 17:27:24 +0000 watcher13 62577@http://www.giveawayoftheday.com/forums/ <p>That's great stuff, alhall. YepperDepper, probably unintentionally posted this thread twice. On the other one, I've reproduced Avira's official release on the subject, saying that ComputerBild magazine and the Chip website were giving away infected files:</p> <p><a href="http://www.giveawayoftheday.com/forums/topic/6008#post-62567" rel="nofollow">http://www.giveawayoftheday.com/forums/topic/6008#post-62567</a></p> <p>Maybe the moderators, when they see this, can consolidate the posts. </p> <p>BTW,Graylox also said in the German forum she saw a low priority Kasperky hit on this. Nobody's said, yet, how much damage this could do, if much at all. </p> http://www.giveawayoftheday.com/forums/topic/6009#post-62574 Thu, 20 Aug 2009 17:17:47 +0000 alhall 62574@http://www.giveawayoftheday.com/forums/ <p>Ditto here with Linkcollector. This appears to be a new type of virus that infects apps written in Delphi. Th3ere are many new posts about it via Google. Here's an overview:</p> <p>Richard Cohen, one of the analysts at SophosLabs, blogged yesterday about a curious piece of malware designed to infect applications written using Delphi (a variant of the Pascal language originally developed by Borland, and now used to quickly develop Windows programs such as database applications).</p> <p>The W32/Induc-A virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable.</p> <p>Since yesterday, Sophos has received over 3000 unique infected samples of programs infected by W32/Induc-A from the wild.. This makes us believe that the malware has been active for some time, and that a number of software houses specialising in developing applications with Delphi must have been infected.</p> <p>Examples of infections have included applications that submitters have described as:</p> <p> * "A tool for downloading configuration files onto GSM modules"<br /> * "A compiler interface that operates between our third-party design software and our CNC woodworking machinery"</p> <p>Delphi code</p> <p>In addition, and quite ironically, we have seen a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.</p> <p>Could it be that the malware has also hit other malware authors?</p> <p>Delphi is frequently used to create bespoke software, either by small software houses or by internal teams. If you believe that you may be using software written in Delphi you would be very wise to ensure that your anti-virus software is updated. Actually, regardless of whether you use Delphi-written apps that's a good idea.</p> <p>And if you do find a W32/Induc-A infection in one of your programs, speak to its developers immediately - as it's quite possible they have also been passing an infection on to other customers.</p> <p>Let me reiterate - this virus isn’t just a threat if you are a software developer who uses Delphi. It’s possible that you are running programs which are written in Delphi on your computers, and they could be affected.<br /> Posted on August 19th, 2009 by Graham Cluley, Sophos </p>