@YoKenny (and Tech ;)):
They seem to have already solved this:
avast! blog >> Win32:Induc, new concept of file infector? >> Comments
@YoKenny (and Tech ;)):
They seem to have already solved this:
avast! blog >> Win32:Induc, new concept of file infector? >> Comments
YoKenny,
Regarding Event log explorer,
I noticed you haven’t got a response yet from the devs…
I don’t use it but out of curiosity, I tried downloading it again, and got the following error:
So it has filtered through…
However, I downloaded it and scanned the .zip (context menu) and it was clean. I am not sure if they cleaned it or not but the web shield did alert to this download before…as you know…
Maybe someone from ALWIL could take a look?
There is no alert on the download anymore but no release changes so I am not too sure…
-Scott-
No alert by avast! but MSE refuses to let it install and no response from FSPro development but another person has reported the problem:
http://www.fspro.net/forum/viewtopic.php?t=1094
Hi,
regarding Event log explorer:
version 3.1 (build3.1.3.615) which is available on hxxp://www.eventlogxp.com/download/elex.zip and some other download servers is clean, but version 3.1 (build 3.1.2.595) RC1 which can be found on http://www.softpedia.com/progDownload/Event-Log-Explorer-Download-23718.html (link “External Mirror 1 - Beta” leads to hxxp://www.eventlogxp.com/download/elex31beta.zip) is infected (virustotal (whole setup package elex_setup.exe), virustotal (installed file elex.exe), you can check md5, sha1 or sha256 checksums).
Hi Milos,
Thanks for the update
I also found this page, while looking:
http://www.fspro.net/win32induc.html
I’m glad that there are at least some that are admitting it…
-Scott-
Hi malware fighters,
Solved the problem with Event Log Explorer and after a fresh download it just works normally again without a trace of Win 32: Induc.
It seemed the Borland Delphi incrowd knew about the existence of this file infector somewhat longer, a certain “douche” there launched the POC online and so it was found up in the wild. MS then flagged it and other av vendors followed put,
polonus
Seems like some “Krusty” character works at Microsoft because it still won’t download for me.
Hi YoKenny,
I had to download a specific beta version of the program that was not flagged for the Borland Delphi file infector…Event Log Exlorer 1.4 (Build 1.4.1.263)Beta
Proof: http://www.virustotal.com/nl/analisis/76c56a57dc24a3a288f92dbd7f57ef422ce2af51d3ced36d3c67f07d80110809-1250975079
All the others I tried had the Win32 Induc virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable.
It has been around for months now, the POC was know in inner Borland Delphi developer circles, and some “douche” there put it online, so it was flagged after thus being found “in the wild” by MS and later Sophos, McAfee and other av followed put. Funny thing that even some malcreant’s trojans in Delphi were affected.
The file infector did not have any payload at the time, but the working mechanism and the way that it can be succesful as a file infector to “infect” executables makes it too dangerous to ignore. File infectors is “old school virus” re-created as demonstrated by this one that is developer software related, and high risk file infectors like Virut etc.,
polonus
Where did you get Event Log Exlorer 1.4 (Build 1.4.1.263)Beta ???
Hi YoKenny,
It was quite some search. Here is the link: http://download.chip.eu/nl/download_nl_804527.html
Checking: http://download.chip.eu/js/prototype.js
File size: 69.59 KB
File MD5: ed2d6608b0832c5e990e10729157b485
http://download.chip.eu/js/prototype.js - Ok
pol
P.S. Link for some MS info on specific log events:
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnf_msg_wjlu.asp
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=event+id+576&View=en-us
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=event+id+528&View=en-us
Damian