Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 10, 2016, 04:24:02 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?  (Read 4386 times)

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« on: October 25, 2009, 06:14:29 PM »
I just running a full system scan and NOD32 reports that Website Watcher is infected with Win32/Induc.A virus.

I am running WW version 5.0.5 (my updates have expired so I can't update to a newer version without paying).

I looked up this virus on Sophos and it says:

Quote
W32/Induc-A is a virus that infects Delphi files at compile-time. As such, these files cannot be disinfected and need to be recompiled cleanly.

W32/Induc-A searches computers for installations of Delphi, then attempts to temporarily modify SysConst.pas, and compiles this to infect SysConst.dcu. The original SysConst.dcu can be restored from the backup made by the virus in SysConst.bak.

Infected SysConst.dcu files are detected as Mal/Induc-A, and infected SysConst.pas files as Mal/Induc-B. These behavioural genotype detections detect all infected versions that we are currently aware of. However, we would still like to see more samples of SysConst.dcu, SysConst.bak and SysConst.pas from any Delphi developers potentially affected by this virus, especially if you have customized versions of these units.

Further analysis of W32/Induc-A can be found in the following blog article: Compile-a-virus - W32/Induc-A

PLEASE NOTE: Because infected executables are produced at compile time by infected Delphi development environments, we are seeing many cases of infected files coming from genuine software vendors. These are not false positives. Clients and software developers seeking to understand why their software is deing detected as W32/Induc-A should see this blog artice.

The emphasis is mine.

This has not shown up until I did a manual scan. Is anyone else experiencing this? Try scanning the folder Program Files\Website-Watcher and see if your AV reports a problem.

As stated above this is a compile time problem for Delphi builds that have got infected and so if true would mean that Website-Watcher's developer systems are possibly infected. I don't want to contact them until I am sure it is a problem with them rather than a cross infection opn my system.

So far no other Delphi based apps have shown up (and my drive C: has been fully scanned) so it doesn't look like cross infection.

Anyone any other feedback on this?

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #2 on: October 25, 2009, 06:33:36 PM »
There is a "proof of concept" virus in the wild that can infect systems that have a copy of Delphi installed.

If you don't have a copy of Delphi itself, this virus can't do anything or spread. And it can only infect certain versions of Delphi, at that.

It seems this virus has been around quite awhile (at least a few years), without anyone knowing about it because the payload is more or less harmless, even if you do have Delphi installed.

It won't infect other Delphi apps, just Delphi itself, and then get compiled into every app the developer compiles with his infected Delphi installation. Other than that, it doesn't do anything else, and what it does isn't entirely malicious beyond leaving a calling card all over the place. The goal of this virus seems to just be to leave it's mark (an "i was here") in as many Delphi apps as possible.


aignes

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 44
    • View Profile
    • WebSite-Watcher
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #3 on: October 26, 2009, 05:22:17 AM »
WebSite-Watcher 5.0.5 was the only version with that problem and we released version 5.0.6 the same day as virus scanners started to report this problem (it affects only Delphi 5-7 installations, not higher Delphi versions or any other files).

In WSW, call Help + Downloads/Update subscription to download version 5.0.6.
- Martin Aignesberger,  author of WebSite-Watcher

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,435
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #4 on: October 26, 2009, 05:31:37 AM »
Maybe this is a good excuse to ask Martin to look at this thread:
http://www.donationc...ex.php?topic=19213.0

 :-*

aignes

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 44
    • View Profile
    • WebSite-Watcher
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #5 on: October 26, 2009, 07:49:08 AM »
For initial WSW purchases the discount coupon from the last special DC celebration (or whatever is was called) is still valid. This discount coupon can also be used for Local Website Archive, AM-Notebook and Bundles.
- Martin Aignesberger,  author of WebSite-Watcher

MerleOne

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 949
  • 4D thinking
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #6 on: October 26, 2009, 09:25:58 AM »
Hello Aignes,

I am sure I tried the coupon for LWA a few days ago, and it didn't work.  I'll try again and post it here if it fails again.

Thanks for the good news !
.merle1.

MerleOne

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 949
  • 4D thinking
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #7 on: October 26, 2009, 09:32:37 AM »
I just tried the purchase process with the coupon for DC members and it is rejected.  It's the coupon given that expired in March 2009, described in the special user section (http://www.donationc...ex.php?topic=17289.0).
.merle1.

aignes

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 44
    • View Profile
    • WebSite-Watcher
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #8 on: October 26, 2009, 10:07:04 AM »
Sorry about this problem, it seems that there are two different discount coupons available. Both should now work until the end of the year...

Could you please try again and report back if it worked?
- Martin Aignesberger,  author of WebSite-Watcher

MerleOne

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 949
  • 4D thinking
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #9 on: October 26, 2009, 10:34:09 AM »
Sorry about this problem, it seems that there are two different discount coupons available. Both should now work until the end of the year...

Could you please try again and report back if it worked?
Sure !  Stay tuned...

Update : it works fine now.  Thanks !
.merle1.
« Last Edit: October 26, 2009, 10:35:58 AM by MerleOne »

patteo

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 437
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
« Reply #10 on: October 26, 2009, 11:58:01 AM »
Does the discount code apply to upgrades as well ?