Users and software developers have been warned of the ‘Win32.Induc' virus that targets development environments in order to infiltrate applications at the point they are written and compiled.
Sunbelt Software claimed that the virus was written to infect applications built with the popular Windows-based development environment Delphi and has been in circulation for some time.
When a Win32.Induc-infected application is run on a PC, the virus searches for a Delphi installation and attaches itself to it. Any software compiled by the infected Delphi will then also carry a copy of Win32.Induc, allowing the virus to spread in the application executable.
Although no payload is deployed and no destructive act carried out on data or applications, the replication and infection will cause disruption as functional applications and files are quarantined by anti-virus software as infected, pending disinfection.
Michael St. Neitzel, VP of threat research and technologies at Sunbelt Software, said: “This is a real challenge for anti-virus vendors and those on the receiving end. When AV scanners start identifying applications as ‘infected' with Win32.Induc it's an open question whether or not the scanners can clean them.
“If they can't, the original developers are going to be required to get the infection out of their Delphi compilers, recompile the applications and get the clean code back to their customers. Given there could be different versions of the infected applications in circulation, this is going to be a real nightmare for some companies to deal with.”
Symantec's John McDonald claimed that any file that is subsequently compiled with Delphi will have the viral code included in it.
McDonald said: “It is difficult to say exactly how long this virus has been in the wild, but indications are that it is not exactly new. No doubt it would have been picked up much sooner if it actually did anything other than simply spread itself.
“Still, it is a concern that an entire development environment has been used in this fashion to accommodate the spread of malicious code. I have a feeling the anti-virus industry may be about to witness a flood of ‘false positive' claims which actually turn out to be Delphi files infected with this.”
Graham Cluley, senior technology consultant at Sophos, claimed that the company had received over 3,000 unique infected samples of programs infected by W32/Induc-A from the wild. The company believes that the malware has been active for some time, and that a number of software houses specialising in developing applications with Delphi must have been infected.
Cluley said: “In addition, and quite ironically, we have seen a number of banking Trojan horses (that are often written in Delphi) infected by Induc-A. Could it be that the malware has also hit other malware authors?
“Delphi is frequently used to create bespoke software, either by small software houses or by internal teams. If you believe that you may be using software written in Delphi you would be very wise to ensure that your anti-virus software is updated. Actually, regardless of whether you use Delphi-written apps that's a good idea.
“And if you do find a W32/Induc-A infection in one of your programs, speak to its developers immediately - as it's quite possible they have also been passing an infection on to other customers.”
Randy Abrams, director of technical education at ESET, claimed that it is ‘pretty rare now to be able to talk about a widespread virus that probably won't cause you any harm'. “Nowadays we see lots of malicious software that is designed to steal money and information,” said Abrams.
“For the average user the virus is essentially harmless. The problem is that some software development companies use Delphi, got infected, and when we added detection for Win32/Induc.A their programs were detected. Ironically, some other malicious software that was previously undetected by anti-virus vendors will now be detected because it is infected with Induc.A!”