Every day, on my walk to work through downtown Vancouver, I pass a poster for a road safety campaign. It says “Being hit while jaywalking only happens to other people…” As someone who originates from England, where jaywalking is normal practice on all but the busiest roads, it is something of which I need to particularly take notice.
The internet equivalent of jaywalking might be something like peer-to-peer file sharing. If you download a file called “WorldOfWarcraftKeyCrack.exe”, do not be surprised if your anti-virus software detects that it is, in fact, an online gaming password stealer.
However, what does it mean when your anti-virus suddenly alerts on normally legitimate software, from a source you trust?
Golden Rule number 1: What is the nature of the beast? Always read the malware description!
When Sophos products detect malware, the alerts include a handy link to the malware description on our website. Use it! In particular note what type of infection is being reported: If it is a file-infecting virus then it may indeed be infecting otherwise legitimate software.
W32/Induc-A is no exception to this rule.
As Sophos has already blogged, we have seen over 3000 files infected by the Induc virus.
Furthermore, in the last 24 hours there have been at least 11 cases where customers have submitted samples claiming that we are erroneously detecting legitimate software.
All of them have been genuine infections.
Let me underline this point: We have not had a single false positive on W32/Induc-A, nor are we ever likely to see one. If Sophos says you have a W32/Induc-A infection, we mean exactly what we say.
The manner of W32/Induc-A’s infection mechanism makes it even more likely to spread from supposedly legitimate sources.
As was already explained in Richard’s blog article, infected executables do not directly infect other executables. Instead they infect a library module (SysConst.dcu) in the Delphi Development environment. When a software house producing Delphi applications becomes infected in this way, every executable it compiles is infected with the virus.
Internal applications quickly spread the infection to all the company’s developers, while external applications are distributed to customers. Customers may include other Delphi programmers, and thus the virus spreads.
What should I do if I have a W32/Induc-A, W32/Induc-B, Mal/Induc-A or Mal/Induc-B infection?
If you are a customer who has received an application infected with W32/Induc-A or W32/Induc-B, please contact the supplier of the software. Inform them of the infection, and please ask them to contact either Sophos or the technical support of their anti-virus supplier as appropriate. When they have cleaned up their Delphi installation, they should then be able to supply you with clean versions of their software.
If you are a Delphi developer, or if you have Delphi installed and have possibly executed an infected application, then it is not sufficient to simply disinfect infected executables. You will also need to clean your Delphi development environment. The most important part of this procedure is to make sure your anti-virus software can detect infected SysConst.dcu units, and replace these with clean backups. Then recompile clean versions of your software to distribute to your customers.
Of course, you should probably warn your customers about the problem at the same time.
However, we would still like to see more samples of SysConst.dcu, SysConst.bak and SysConst.pas from any Delphi developers potentially affected by this virus, especially if you have customized versions of these units.
Sophos customers needing further assistance with W32/Induc-A, W32/Induc-B, Mal/Induc-A and Mal/Induc-B infections can always contact Sophos technical support.