I’ve been trialing Tidy Favorites, a visual bookmark application, for the last week or two. Things were going well until this morning when I had a pop up from my Trend Micro Anti Virus warning me about Troj_Induc.A being found in my Tidy Favorites executable file. Odd but no worries, I’ve had false positives before and a quick check of the Tidy Favorites FAQs and yes, they mention that some aspects of Tidy Favorites can be detected as false positives and to let it go.
For some reason I was unassured by this so I did a quick search on Troj_Induc.A malware and there was this story from CNET linking to a blog article from SophosLabs written yesterday. Apparently the W32/Induc-A virus is something new in the wild. It looks for the Delphi programming environment on an infected PC and if it finds it, inserts copies of itself into every new Delphi file compiled on that machine. The upshot being that developers with infected machines, working with Delphi can be creating legitimate software with malware hitch hikers. Now that’s a clever virus. So far the virus seems benign, it doesn’t seem to do anything except replicate.
According to CNET W32/Induc-A has so far been detected in Tidy Favorites v4.1 as well as AnyTV Free v2.41 which, according to it’s download site is certified virus free. Tidy Favorites has since been patched, but Any TV is still offering the infected Any TV Free v2.41 download. Be careful people I fear we haven’t heard the last of this little pest. [Photo from Flickr ]
When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system