Main Area and Open Discussion > Living Room
Is Website-Watcher 5.0.5 infected with Win32/Induc.A virus?
Carol Haynes:
I just running a full system scan and NOD32 reports that Website Watcher is infected with Win32/Induc.A virus.
I am running WW version 5.0.5 (my updates have expired so I can't update to a newer version without paying).
I looked up this virus on Sophos and it says:
W32/Induc-A is a virus that infects Delphi files at compile-time. As such, these files cannot be disinfected and need to be recompiled cleanly.
W32/Induc-A searches computers for installations of Delphi, then attempts to temporarily modify SysConst.pas, and compiles this to infect SysConst.dcu. The original SysConst.dcu can be restored from the backup made by the virus in SysConst.bak.
Infected SysConst.dcu files are detected as Mal/Induc-A, and infected SysConst.pas files as Mal/Induc-B. These behavioural genotype detections detect all infected versions that we are currently aware of. However, we would still like to see more samples of SysConst.dcu, SysConst.bak and SysConst.pas from any Delphi developers potentially affected by this virus, especially if you have customized versions of these units.
Further analysis of W32/Induc-A can be found in the following blog article: Compile-a-virus - W32/Induc-A
PLEASE NOTE: Because infected executables are produced at compile time by infected Delphi development environments, we are seeing many cases of infected files coming from genuine software vendors. These are not false positives. Clients and software developers seeking to understand why their software is deing detected as W32/Induc-A should see this blog artice.
--- End quote ---
The emphasis is mine.
This has not shown up until I did a manual scan. Is anyone else experiencing this? Try scanning the folder Program Files\Website-Watcher and see if your AV reports a problem.
As stated above this is a compile time problem for Delphi builds that have got infected and so if true would mean that Website-Watcher's developer systems are possibly infected. I don't want to contact them until I am sure it is a problem with them rather than a cross infection opn my system.
So far no other Delphi based apps have shown up (and my drive C: has been fully scanned) so it doesn't look like cross infection.
Anyone any other feedback on this?
Carol Haynes:
Update: http://www.aignes.com/forum/viewtopic.php?t=2584&highlight=induc
app103:
There is a "proof of concept" virus in the wild that can infect systems that have a copy of Delphi installed.
If you don't have a copy of Delphi itself, this virus can't do anything or spread. And it can only infect certain versions of Delphi, at that.
It seems this virus has been around quite awhile (at least a few years), without anyone knowing about it because the payload is more or less harmless, even if you do have Delphi installed.
It won't infect other Delphi apps, just Delphi itself, and then get compiled into every app the developer compiles with his infected Delphi installation. Other than that, it doesn't do anything else, and what it does isn't entirely malicious beyond leaving a calling card all over the place. The goal of this virus seems to just be to leave it's mark (an "i was here") in as many Delphi apps as possible.
aignes:
WebSite-Watcher 5.0.5 was the only version with that problem and we released version 5.0.6 the same day as virus scanners started to report this problem (it affects only Delphi 5-7 installations, not higher Delphi versions or any other files).
In WSW, call Help + Downloads/Update subscription to download version 5.0.6.
mouser:
Maybe this is a good excuse to ask Martin to look at this thread:
https://www.donationcoder.com/forum/index.php?topic=19213.0
:-*
Navigation
[0] Message Index
[#] Next page
Go to full version