Induc still a threat to delphi
Greetings to everyone on this page!
Today, my friend is interested in, among other things, the development of 2D-games on Delphi sent me another thing. Trust but check! - I thought, and in the good old tradition I sent the file to VirusTotal. After waiting for the test results, the desire to quickly start the toy somehow disappeared ... In some cells of the test results table, the already familiar word “Induc” was written in beautiful red color. A little surprised at the absence of a screech (oh, it seems he hasn’t done that for a long time) of my antivirus, I went to figure it out. But not with the representatives of the anti-virus company, but with the device of the infected file.
Recalling the end of the summer of 2009, when Induc managed to infect the environments not only of Delphi programmers, but also many popular programs, such as QIP and AIMP, and considering that I’ve launched my friend’s files for the first time, I first decided check your installation. Compiling an empty project sent it to the same VirusTotal - there is no turkey!
Having calmed down a bit, I start a virtual machine and start installing Delphi 7. Not having time to forget, I remember the end of summer 2009 and discussions in many Internet forums about how this stuff works, it reproduces, it lives and I understand that I need to use something like Google. However, laziness is stronger, and besides, the installer reported on the successful completion of the IDE installation.
The first thing that occurred to me is to launch Process Monitor and see where the infected file is. No sooner said than done!
')
The screenshot shows that after repeatedly writing something into the SysConst.pas file, the toy turns to the Delphi compiler (dcc32.exe), obviously, with an attempt to compile this pas-file.
Without further ado, having rolled back to the initial state of the virtual machine after installing the Delphi, I send my exe-file with the source code of the following content instead of the DCC32.EXE file:
And so, in the copy.pas file, we have here what pastebin.com/QT0tEVJb
Comparing with the original SysConst.pas, we see that it is complemented by malicious lines.
A little digging around, I received a formatted source pastebin.com/KpmuSii9 (my comments).
As you can see, when starting up, it somehow checks whether the program is under the debugger (why?) And runs on the NT system or not, otherwise it stops.
Next, the virus fumbles in the registry in search of the installed version of Delphi and the path to its folder.
Then a procedure is called that reads the original SysConst.pas file, adds harmful lines to it and saves it to the lib folder, that is, where the SysConst.dcu file is located. After that, the same procedure starts the compiler, thereby obtaining the infected SysConst.dcu file. It also removes the malicious source and sets the time of creation, last access and modification for the new SysConst.dcu file as it was with its predecessor.
And the line 'Carpathian Forest CF1.3 BondedByBlood' is written to the SysConst.pas file
That seems to be all, Induc has done its job ... But there are still a few unused procedures that implement at least malicious functionality. So when you start the Check procedure, it is checked whether it is the 13th or October 2010 today or more, if it is so, then the Analize procedure is launched. This procedure first deletes the hal.dll, urlmon.dll, userinit.exe, logoff.exe, rasapi32.dll, explorer.exe, ntdetect.com files, then searches for all the files on the drives from C: to Z: and exactly however, they are spoiled by cyclically writing the string 'Carpathian Forest CF1.3 BondedByBlood' diluted with kilobytes of null characters. At the end of all this, a window opens with the title ' TODAY IS A NICE DAY TO DIE. 'and the text' Carpathian Forest CF1.3 BondedByBlood '.
However, the author chose to hide all these features (or simply forgot to connect).
It is also noteworthy that the virus is a bit outdated (as the source code contains the date 2010-10-13), and most of the popular antiviruses, no matter how sleep or spirit ... What is the difficulty in detecting such a fairly simple virus?
Today, my friend is interested in, among other things, the development of 2D-games on Delphi sent me another thing. Trust but check! - I thought, and in the good old tradition I sent the file to VirusTotal. After waiting for the test results, the desire to quickly start the toy somehow disappeared ... In some cells of the test results table, the already familiar word “Induc” was written in beautiful red color. A little surprised at the absence of a screech (oh, it seems he hasn’t done that for a long time) of my antivirus, I went to figure it out. But not with the representatives of the anti-virus company, but with the device of the infected file.
Recalling the end of the summer of 2009, when Induc managed to infect the environments not only of Delphi programmers, but also many popular programs, such as QIP and AIMP, and considering that I’ve launched my friend’s files for the first time, I first decided check your installation. Compiling an empty project sent it to the same VirusTotal - there is no turkey!
Having calmed down a bit, I start a virtual machine and start installing Delphi 7. Not having time to forget, I remember the end of summer 2009 and discussions in many Internet forums about how this stuff works, it reproduces, it lives and I understand that I need to use something like Google. However, laziness is stronger, and besides, the installer reported on the successful completion of the IDE installation.
The first thing that occurred to me is to launch Process Monitor and see where the infected file is. No sooner said than done!
')
The screenshot shows that after repeatedly writing something into the SysConst.pas file, the toy turns to the Delphi compiler (dcc32.exe), obviously, with an attempt to compile this pas-file.
Without further ado, having rolled back to the initial state of the virtual machine after installing the Delphi, I send my exe-file with the source code of the following content instead of the DCC32.EXE file:
And so, in the copy.pas file, we have here what pastebin.com/QT0tEVJb
Comparing with the original SysConst.pas, we see that it is complemented by malicious lines.
A little digging around, I received a formatted source pastebin.com/KpmuSii9 (my comments).
As you can see, when starting up, it somehow checks whether the program is under the debugger (why?) And runs on the NT system or not, otherwise it stops.
Next, the virus fumbles in the registry in search of the installed version of Delphi and the path to its folder.
Then a procedure is called that reads the original SysConst.pas file, adds harmful lines to it and saves it to the lib folder, that is, where the SysConst.dcu file is located. After that, the same procedure starts the compiler, thereby obtaining the infected SysConst.dcu file. It also removes the malicious source and sets the time of creation, last access and modification for the new SysConst.dcu file as it was with its predecessor.
And the line 'Carpathian Forest CF1.3 BondedByBlood' is written to the SysConst.pas file
That seems to be all, Induc has done its job ... But there are still a few unused procedures that implement at least malicious functionality. So when you start the Check procedure, it is checked whether it is the 13th or October 2010 today or more, if it is so, then the Analize procedure is launched. This procedure first deletes the hal.dll, urlmon.dll, userinit.exe, logoff.exe, rasapi32.dll, explorer.exe, ntdetect.com files, then searches for all the files on the drives from C: to Z: and exactly however, they are spoiled by cyclically writing the string 'Carpathian Forest CF1.3 BondedByBlood' diluted with kilobytes of null characters. At the end of all this, a window opens with the title ' TODAY IS A NICE DAY TO DIE. 'and the text' Carpathian Forest CF1.3 BondedByBlood '.
However, the author chose to hide all these features (or simply forgot to connect).
It is also noteworthy that the virus is a bit outdated (as the source code contains the date 2010-10-13), and most of the popular antiviruses, no matter how sleep or spirit ... What is the difficulty in detecting such a fairly simple virus?
Source: https://habr.com/ru/post/136841/
All Articles