Kaspersky Lab has detected Virus.Win32.Induc.a, a piece of malware that spreads via CodeGear Delphi, an integrated software development environment.
According to the company, the virus utilises the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables.
When an infected application is opened, the virus executes, and then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the machine. “If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu,” says Kaspersky.
The company adds that all Delphi projects include the line “use SysConst”; in other words, the infection of a single system module results in the infection of all applications under development.
Hidden danger
Kaspersky Lab says at present, this virus isn't a threat, as with the exception of the infection there is no payload, and that it was most likely written to demonstrate and test a new infection routine.
“The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cyber criminals to make it more destructive.”
Costin Raiu, chief security expert, Kaspersky Lab EEMEA Global Research and Analysis Team, adds: “I think this was a very interesting case, a ghost from the past. A very little virus, which infects files (as opposed to being a standalone Trojan which you get from the Internet) and without a visible payload, this is similar to what we were seeing 10 years ago.”
He says although it is possible that cyber criminals will try to replicate these features, the more a piece of malware does, the more likely it is to be detected. “Currently, cyber crooks focus mainly on monetising malware writing efforts, therefore it is not profitable to write viruses that are small and do nothing.”
However, he adds it should be noted that attacks nowadays are multi-stage; in other words, a piece of malware brings another one, which brings another one and so forth. So, such a little virus might be used as an entry point into the system, a backdoor to upload malware later.
Related stories:
ATM malware could hit SA
Have banks done their homework?
Web 2.0 malware explodes in June
Share