W32/Induc-A virus being spread by Delphi software houses

Richard Cohen, one of the analysts at SophosLabs, blogged yesterday about a curious piece of malware designed to infect applications written using Delphi (a variant of the Pascal language originally developed by Borland, and now used to quickly develop Windows programs such as database applications).

The W32/Induc-A virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable.

Since yesterday, Sophos has received over 3000 unique infected samples of programs infected by W32/Induc-A from the wild.. This makes us believe that the malware has been active for some time, and that a number of software houses specialising in developing applications with Delphi must have been infected.

Examples of infections have included applications that submitters have described as:

  • “A tool for downloading configuration files onto GSM modules”
  • “A compiler interface that operates between our third-party design software and our CNC woodworking machinery”

Delphi code

In addition, and quite ironically, we have seen a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A.

Could it be that the malware has also hit other malware authors?

Delphi is frequently used to create bespoke software, either by small software houses or by internal teams. If you believe that you may be using software written in Delphi you would be very wise to ensure that your anti-virus software is updated. Actually, regardless of whether you use Delphi-written apps that’s a good idea.

And if you do find a W32/Induc-A infection in one of your programs, speak to its developers immediately – as it’s quite possible they have also been passing an infection on to other customers.

Let me reiterate – this virus isn’t just a threat if you are a software developer who uses Delphi. It’s possible that you are running programs which are written in Delphi on your computers, and they could be affected.

Sean Richmond, Senior Technology Consultant at Sophos Australia, discussed the W32/Induc virus with Patrick Gray on this week’s Risky Business show. Listen to them discussing the malware in the podcast below.

Don’t forget, if you want to scan your computer for an Induc infection (or indeed other malware infections) and aren’t already a Sophos customer you can always download Sophos’s free Threat Detection Test.