W32/Induc Delphi virus infections explored

In the last 2 days there has been considerable interest in the Delphi source code infecting malware that Sophos is detecting as W32/Induc-A. Richard Cohen initially blogged about it here and Graham Cluley later posted here. In his post, Graham mentioned the fact that SophosLabs has over 3000 files that are being detected as W32/Induc-A.

I decided this was worth some investigation. At first glance it seems a significant number of files for such a short space of time. The first thing I did was to look at detection rates. I ran a selection of the files through different vendors scanners and discovered very mixed detection rates. As they were files Sophos already had and detected our detection rate was 100% but detection rates for other vendors varied between 100% and just 6%. Most vendors still have work to do on detecting these files.

Whilst doing this work I noticed that some vendors were not detecting the files as Induc but as various banking Trojans. This led me down the path of suspecting that some of the files were possibly malware themselves, built on infected systems.

I got the files from our database and it totalled 3352 files. As you would expect they are all Windows executables or DLLs. I then looked for a way of determining how many of the files were legitimate applications or possibly something else. I elected to look at the version info which is normally available in legitimate files.

Out of 3352 files that Sophos currently detects as W32/Induc-A, only 1200 had something in the CompanyName field of the resources. I then removed the entries where the Company name was blank or contained question marks. That got me down to just 796.

By now, I have just 25% of the original batch of files that contain some information. Judicious use of sort and uniq leaves me with just 275 unique entries. The list makes interesting reading. Make your mind up whether these are genuine files that you want on your system

  • CheatsAdvanced.net
  • Grand Chase Hackers
  • LoveYou
  • MRs.Romanha
  • nnnviiririri
  • RadicalCheats
  • SearchLink (in fact several different variants of upper and lower case)
  • ThunderCheats
  • XxX13

These types of names form the basis of most of the files I was left with. The inescapable conclusion is that a significant number of these files are not wanted on customer systems so let me reiterate Graham’s advice – if you believe the file is from a legitimate vendor then go to that vendor and request that they provide clean copies. After all, they either are, or have been, compromised in their build environment.

If you are at all suspicious of the origin of the file then delete it. It has a very high chance of being something you just do not want anyway.