Malware city blogs....

General Topics
1

Hi malware fighters,

You read about a virus being analyzed - for instance Dana Stanut, virus researcher at BitDefender’s, then you look for a blog he publishes on and get interesting information and news. It is another approach in dealing with a particular virus cleansing method - through the information of a virus researcher that analyzed that particular piece of malware…

So I have found Clearing the way - Malware City Blogs: http://www.malwarecity.com/blog/clearing-the-way-261.html

Do it, get informed, malware fighters, read what the virus researches have to tell us, example here:

Win32.Induc.A
(Virus.Win32.Induc.a; W32/Induc virus; Win32.Induc; W32.Induc.A )
Spreading: high
Damage: low
Size: varies
Discovered: 2009 Aug 19

SYMPTOMS:
Presence of a file named sysconst.bak in %Delphi_Installation_Folder%\Lib\ folder.

TECHNICAL DESCRIPTION:
This threat spreads by infecting the systems running the Delphi development environment. When the virus code is executed it will first check if Delphi (version 4 through 7) is installed on the computer by trying to open the following registry key:
KKLM\SOFTWARE\Borland\Delphi
If found, it will get the Delphi installation folder from the same registry key.
Next it will copy
%Delphi_Installation_Folder%\Source\Rt… to %Delphi_Installation_Folder%\Lib\SysCons…
and add its malicious code in the implementation section of this copy. This file will be then compiled, resulting an infected sysconst.dcu (Delphi compiled unit) but not before making a copy of the once clean sysconst.dcu file under sysconst.bak. Then the copy of sysconst.pas will be deleted.
As sysconst is included in each software compiled in Delphi, every program compiled with an infected Delphi will have the virus code embedded.
The malware does nothing if Delphi is not installed.
This threat has no payload besides self-replication.

Removal instructions:
Please let BitDefender disinfect your files. http://www.bitdefender.com/scan8/ie.html

Overwrite %Delphi_Installation_Folder%\Lib\syscons… with %Delphi_Installation_Folder%\Lib\syscons…

ANALYZED BY:
Dana Stanut, virus researcher
Source(s):
http://www.bitdefender.com/VIRUS-1000528…

And the info will be helpful here: http://forum.avast.com/index.php?topic=49407.0
and also here:
http://forum.avast.com/index.php?topic=52494.0

polonus