I got software/driver for modem Pantech PX-500 from my ISP, and it detected as Win32:induc. I’ve submit it at hXXp://www.virustotal.com/analisis/7fc8fba3de1ed23436ca56936c5cb53ae4f63b3bc63761067323b618873d5781-1258525941, please let me know it is was a false positive.
Thanks,
Cahya.
Given the number of detections, 15/41 I would say it is more likely it is a good detection.
Edited: incorrect reference to codec removed, causing confusion.
However that said, many of the detections are heuristic which are more prone to false positive, you could send it to avast for further analysis.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Highly likely ;D
Essentially doesn’t change the advice to submit for further analysis due to many detections being heuristic.
Thanks David, I do planning to send the sample 
Hi Cahya,
To fix the vulnerability, re: http://forum.avast.com/index.php?topic=52467.0
Selamat Hari Natal,
polonus
Thanks Polonus, I’ve been reading it now.
Merry Christmas
Cahya.
sir pol,
again… this is not about indeo codec but induc thing…
nmb
Hi nmb,
I reacted to DavidR’s posting, but of course it is the general Borland Delphi language issue, and similar to this: http://forum.avast.com/index.php?topic=47792
The program that is affected for our friend Cahya must be upgraded to a version that does not have that particular virus (the vulnerability was leaked onto the Internet by an irresponsible developer and then all av vendors had to flag it), nmb now I know what induc stands for, thanks for being that attentive…
polonus
sir pol,
I can’t reach your level. but thanks for the polite and nice reply.
yes, cahya… you read it right… as sir pol has stated, you need to update to a latest version which would be released by the author(ISP in your case)… check their website for more info…
else if you have sent the file to virus lab for checking, wait for a few days.
thanks
nmb
Hi nmb,
An example about finding information on a virus 0 another way to approach the problem 0 via the individual who has analyzed the malicious software as virus researcher:
You read about a virus being analyzed - for instance Dana Stanut, virus researcher at BitDefender’s, then you look for a blog he publishes on and get interesting information and news.
So I have found Clearing the way - Malware City Blogs: http://www.malwarecity.com/blog/clearing-the-way-261.html
Do it get informed, malware fighters, read what the virus researches have to tell us, example here:
Win32.Induc.A
(Virus.Win32.Induc.a; W32/Induc virus; Win32.Induc; W32.Induc.A )
Spreading: high
Damage: low
Size: varies
Discovered: 2009 Aug 19
SYMPTOMS:
Presence of a file named sysconst.bak in %Delphi_Installation_Folder%\Lib\ folder.
TECHNICAL DESCRIPTION:
This threat spreads by infecting the systems running the Delphi development environment. When the virus code is executed it will first check if Delphi (version 4 through 7) is installed on the computer by trying to open the following registry key:
KKLM\SOFTWARE\Borland\Delphi
If found, it will get the Delphi installation folder from the same registry key.
Next it will copy
%Delphi_Installation_Folder%\Source\Rt… to %Delphi_Installation_Folder%\Lib\SysCons…
and add its malicious code in the implementation section of this copy. This file will be then compiled, resulting an infected sysconst.dcu (Delphi compiled unit) but not before making a copy of the once clean sysconst.dcu file under sysconst.bak. Then the copy of sysconst.pas will be deleted.
As sysconst is included in each software compiled in Delphi, every program compiled with an infected Delphi will have the virus code embedded.
The malware does nothing if Delphi is not installed.
This threat has no payload besides self-replication.
Removal instructions:
Please let BitDefender disinfect your files. http://www.bitdefender.com/scan8/ie.html
Overwrite %Delphi_Installation_Folder%\Lib\syscons… with %Delphi_Installation_Folder%\Lib\syscons…
ANALYZED BY:
Dana Stanut, virus researcher
Source(s):
http://www.bitdefender.com/VIRUS-1000528…
And the info will be helpful here: http://forum.avast.com/index.php?topic=49407.0
polonus
Hello,
hmmm Win32:Induc still living. Some older info: http://blog.avast.com/2009/08/19/win32induc-new-concept-of-file-infector/
Milos