[Owasp-cincinnati] Fwd: A Thompson hack virus is found in the wild

James Walden james.walden at gmail.com
Fri Aug 21 22:56:19 EDT 2009

A Thompson hack virus has been found in the wild and it's apparently
infected some malware authors' compilers.  It's interesting to see but also
a bit scary.  We're going to have to look more and more at object code, not
just source code for security in the future.

BitDefender Finds Win32.Induc.A Puts Delphi Compilers at Risk and
Compromises Legitimate Applications

The virus, called Win32.Induc.A, spreads by infecting systems that have the
Delphi compiler (versions up to 7.0) installed.

*BitDefender® <http://www.bitdefender.com/>* today announced the discovery
of a threat that directly affects many applications, including TabBrowser
v1.0, GreenOpen, WebMoney Keeper Classic v3.7.0.0, Tidy Favorites v4.1 and
any TV Free v2.41. The applications were being distributed with the virus
code already embedded, due to an unusual trick employed by the malware
author or authors.

The virus, called *Win32.Induc.A*, spreads by infecting systems that have
the Delphi compiler (versions up to 7.0) installed. Any programs which are
subsequently compiled using the compromised compiler contain the virus code.
Although no payload is dropped or malicious action taken other than
self-reproduction, the spreading of this virus to installer packages proves
that this extremely unusual infection vector is, in fact, valid and relevant
today, raising concerns that it will eventually be used to nefarious

When executed, the virus searches for valid Delphi compiler versions and, if
found, creates a SysConst.pas file inside the compilers \Lib folder. It
writes its code inside it, then renames the SysConst.dcu into SysConst.bak.
The .pas file will be compiled then deleted. The resulting SysConst.dcu is
used by the compiler in every compilation act, which automatically creates
infected executables by including the malicious code from inside the

An interesting aspect about the epidemic is that not only legitimate
applications have been infected, BitDefender antivirus researchers found
that several members of the Trojan.Banker malware “family” have been
compromised by Win32.Induc.A.

Detected by BitDefender as *Trojan.Downloader.JMGZ*,
* – ABWC, Trojan.Spy.Banker.ABWK – ABWQ and so on, these trojans target
local banks, namely Caixa – Spain’s biggest savings bank and Bradesco – a
notable bank in Brazil.

Delphi developers are advised to check if their compilers' \Lib folder
contains a SysConst.bak file (the most obvious sign of infection) and to
rename it to SysConst.dcu if it exists, overwriting the compromised file,
then recompile their applications.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20090821/4ca577d2/attachment.html 

More information about the Owasp-cincinnati mailing list