bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
 Inviato: 20 Ago 2009 13:28 Oggetto: Un virus per i programmatori Delphi (Win32/Induc-A) |
 |
|
| F-Secure ha scritto: | Interesting move recently found being used by a malware targeting Delphi.
The malware first checks if the Delphi version is between 4 to 7, then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas and writes malicious code there. After this, SysConsts.pas is deleted.
The malware saves a clean copy of SysConsts.dcu as SysConst.bak and adds a call to its own init function at the entrypoint of the SysConsts.dcu library.
Subsequently, whenever the compiled program is executed, if SysConst.bak is not found the malicious code in the program tries to re-infect Delphi.
In this case, the malware is basically just ensuring that Delphi stays infected. Still, it's another mechanism to spread malware around.
We currently detect this as: Virus.Win32.Induc.a. |
Praticamente, il virus cerca un'installazione di Delphi (4-7) e, se le trova, sostituisce i files SysConst.pas e SysConst.dcu con le rispettive versioni infette.
Da questo momento, tutti i programmi compilati conterranno il virus.
Per un'ulteriore analisi del virus:
| Citazione: | Induc, the innovative file infector
We recently added detection for a file infector to our databases, for something we call Virus.Win32.Induc.a. Since then, we've had a load of questions about it. It doesn't currently have a malicious payload, and it doesn't directly infect .exe files. Instead, it checks if Delphi is installed on the victim machine, looking for versions 4.0, 5.0, 6.0 and 7.0.
If the malware does find one of these Delphi versions, it copies SysConst.pas to \Lib and writes its code to it. It then makes a backup of SysConst.dcu, calling it SysConst.bak (dcu files are kept in \Lib). It then compiles \Lib\SysConst.pas giving an infected version of SysConst.dcu. The modified .pas file gets deleted.
The result ? any Delphi program compiled on the computer gets infected. (We've already had a company contacting us to complain about something they thought was a false positive.) Maybe this particular virus isn't that much of a threat: it's not the first time we've seen this propagation method, the code itself is primitive, there's no other payload, and there are far easier ways to infect machines. But in the past we've seen new infection routines get picked up, tweaked, and taken further. We'll be keeping an eye on this one, just in case. |
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
