How to Prevent and Remove the Virus.Win32.Induc.a

Bookmark and Share

 

1. What is the Virus.Win32.Induc.a

W32/Induc-A is a virus that infects Delphi files at compile-time. As such, these files cannot be disinfected and need to be recompiled cleanly.

W32/Induc-A searches computers for installations of Delphi, then attempts to temporarily modify SysConst.pas, and compiles this to infect SysConst.dcu. The original SysConst.dcu can be restored from the backup made by the virus in SysConst.bak.

Infected SysConst.dcu files are detected as Mal/Induc-A, and infected SysConst.pas files as Mal/Induc-B. These behavioural genotype detections detect all infected versions that we are currently aware of. However, we would still like to see more samples of SysConst.dcu, SysConst.bak and SysConst.pas from any Delphi developers potentially affected by this virus, especially if you have customized versions of these units.


Alias: Backdoor.Win32.Rbot [Ikarus]

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 [file and pathname of the sample #1] sample #1] 2,690,560 bytes
  • Note:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
[file and pathname of the sample #1] [file and pathname of the sample #1] 13,361,152 bytes

c.  Registry Modifications

  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect
    • HKEY_LOCAL_MACHINE\SOFTWARE\Description
    • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft
    • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc
    • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
    • HKEY_CURRENT_USER\Software\Microsoft\aJjdQVmC
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • [filename of the sample #1] = "[file and pathname of the sample #1]"

      so that [file and pathname of the sample #1] runs every time Windows starts
       
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect]
      • 200.98.196.212 = "-687210486:tcp:200.98.196.212,1433"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
      • NetworkAddress = C2 BA C8 0D CE 56
      • NetworkAddressLocal = 0x00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\aJjdQVmC]
      • YbpbdAgY = 7A 94 F9 23 0D A6 14 E1 E1 CF BF 65 20 6F 9E B3 99 65 4A 53 FB F6 75 54 AD 23 CD 7E 9C 29 E7 FC E2 F9 4D D2 42 4E 06 C0 F8 9A 1C 62 38 74 24 00 55 DF 41 CB 01 A2 B7 F3 8F 8A DD AC 33 83 60 29 F3 78 24 3E 7A EB D3 E4 9D 9D 43 94 4A C7 45 6D 25 74 EB 0

 

d. Other details

  • There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host Port Number
200.98.196.212 1433

 

3. How-to's

a. How to prevent the  Virus.Win32.Induc.a ?

Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Virus.Win32.Induc.a Manually?

Step 1 : Use Windows Task Manager to Remove Virus.Win32.Induc.a Processes

[file and pathname of the sample #1]

Step 2 : Use Registry Editor to Remove Virus.Win32.Induc.a Registry Values

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[filename of the sample #1] = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect]
200.98.196.212 = "-687210486:tcp:200.98.196.212,1433"
[HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
NetworkAddress = C2 BA C8 0D CE 56
NetworkAddressLocal = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\aJjdQVmC]
YbpbdAgY = 7A 94 F9 23 0D A6 14 E1 E1 CF BF 65 20 6F 9E B3 99 65 4A 53 FB F6 75 54 AD 23 CD 7E 9C 29 E7 FC E2 F9 4D D2 42 4E 06 C0 F8 9A 1C 62 38 74 24 00 55 DF 41 CB 01 A2 B7 F3 8F 8A DD AC 33 83 60 29 F3 78 24 3E 7A EB D3 E4 9D 9D 43 94 4A C7 45 6D 25 74 EB 0
 

Step3: Detect and Delete Other Virus.Win32.Induc.a Files

[file and pathname of the sample #1]
%delphi rootdir%\Lib\SysConst.dcu
%delphi rootdir%\Lib\SysConst.bak

%delphi rootdir%\source\rtl\sys\SysConst.pas
%delphi rootdir%\Lib\SysConst.pas
 

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

4. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm