Event Log Explorer FP

@YoKenny (and Tech ;)):

They seem to have already solved this:
avast! blog >> Win32:Induc, new concept of file infector? >> Comments

EDIT:Hmmm… http://forum.avast.com/index.php?topic=47792.0

YoKenny,

Regarding Event log explorer,

I noticed you haven’t got a response yet from the devs…

I don’t use it but out of curiosity, I tried downloading it again, and got the following error:

http://sites.google.com/site/spg20scottsweb/home/images/unsafe-download/screenshot.21-08-2009%2013.47.05.png

So it has filtered through…

However, I downloaded it and scanned the .zip (context menu) and it was clean. I am not sure if they cleaned it or not but the web shield did alert to this download before…as you know…

Maybe someone from ALWIL could take a look?

There is no alert on the download anymore but no release changes so I am not too sure…

-Scott-

No alert by avast! but MSE refuses to let it install and no response from FSPro development but another person has reported the problem:
http://www.fspro.net/forum/viewtopic.php?t=1094

Hi,
regarding Event log explorer:
version 3.1 (build3.1.3.615) which is available on hxxp://www.eventlogxp.com/download/elex.zip and some other download servers is clean, but version 3.1 (build 3.1.2.595) RC1 which can be found on http://www.softpedia.com/progDownload/Event-Log-Explorer-Download-23718.html (link “External Mirror 1 - Beta” leads to hxxp://www.eventlogxp.com/download/elex31beta.zip) is infected (virustotal (whole setup package elex_setup.exe), virustotal (installed file elex.exe), you can check md5, sha1 or sha256 checksums).

Hi Milos,

Thanks for the update :slight_smile:

I also found this page, while looking:
http://www.fspro.net/win32induc.html

I’m glad that there are at least some that are admitting it…

-Scott-

Hi malware fighters,

Solved the problem with Event Log Explorer and after a fresh download it just works normally again without a trace of Win 32: Induc.
It seemed the Borland Delphi incrowd knew about the existence of this file infector somewhat longer, a certain “douche” there launched the POC online and so it was found up in the wild. MS then flagged it and other av vendors followed put,

polonus

Seems like some “Krusty” character works at Microsoft because it still won’t download for me.

Hi YoKenny,

I had to download a specific beta version of the program that was not flagged for the Borland Delphi file infector…Event Log Exlorer 1.4 (Build 1.4.1.263)Beta
Proof: http://www.virustotal.com/nl/analisis/76c56a57dc24a3a288f92dbd7f57ef422ce2af51d3ced36d3c67f07d80110809-1250975079

All the others I tried had the Win32 Induc virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable.
It has been around for months now, the POC was know in inner Borland Delphi developer circles, and some “douche” there put it online, so it was flagged after thus being found “in the wild” by MS and later Sophos, McAfee and other av followed put. Funny thing that even some malcreant’s trojans in Delphi were affected.
The file infector did not have any payload at the time, but the working mechanism and the way that it can be succesful as a file infector to “infect” executables makes it too dangerous to ignore. File infectors is “old school virus” re-created as demonstrated by this one that is developer software related, and high risk file infectors like Virut etc.,

polonus

Where did you get Event Log Exlorer 1.4 (Build 1.4.1.263)Beta ???

Hi YoKenny,

It was quite some search. Here is the link: http://download.chip.eu/nl/download_nl_804527.html
Checking: http://download.chip.eu/js/prototype.js
File size: 69.59 KB
File MD5: ed2d6608b0832c5e990e10729157b485

http://download.chip.eu/js/prototype.js - Ok

pol

P.S. Link for some MS info on specific log events:
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnf_msg_wjlu.asp
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=event+id+576&View=en-us
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=event+id+528&View=en-us

Damian