Turkey (Induc)

от Ivan Samoylov / 0

A turkey is a virus that infects SysConst.pas - a Delphi constant, injecting its code there. Before the turkey had the name: "Indcu"

The article is written based on Delphi-7. I cannot guarantee the relevance of this article for other versions.

Back in the 2000th year, one dude wrote a simple program that antiviruses did not burn.

Now almost all antiviruses “know the enemy by sight”, so to speak.

How does this Induc work?

Checks for installed Delphi on the computer through the registry key - HKLM \ Software \ Borland \ Delphi \ .
Edits the SysConst.pas file.
Compiles the file.
Clears the SysConst.pas file or adds some heresy there, such as: “Carpathian Forest CF1.3 BondedByBlood” .

What is dangerous?

It is dangerous only because it disables programs created using delphi. These were QIP 2005, the AIMP player, and even a kind of keeper from web mani. On top of that, some underviruses from different kulhackers fell under this comb.

Despite the fact that Delphi-7 is already quite old, it still has its own audience, which zealously does not want to change it to newer crafts now from Embarcadero .

There are a couple of unused procedures in the Induc source code:
Check , which checks the date for today, whether October 13, 2010 or later (what a pity that this is not Friday. It would be epic)

Her code looks like this:

procedure Check;
var
W: _SYSTEMTIME;
begin
GetSystemTime(W);
If w.wYear > 2010 then Analyze;
If w.wYear = 2010 then
If w.wMonth > 10 then Analyze;
If w.wYear = 2010 then
If w.wMonth = 10 then
If w.wDay >= 13 then Analyze;
end;
Following if ifs work, the Check procedure starts another procedure called Analize , which in turn deletes many files necessary for the system to work, such as: explorer.exe , logoff.exe , hal.dll (because of which, by the way, it’s often most have a problem turning on the computer even without a turkey) and some others. Following in all other files (even files on flash drives) repeating cyclically and thereby trashing everything is written line:
Carpathian Forest CF1.3 BondedByBlood
As a result, a dialog box pops up with a rather sonorous title:
“TODAY IS A NICE DAY TO DIE.” (Today is a good day to die) and the text is already fed up: “Carpathian Forest CF1.3 BondedByBlood” .

More source code can be found here.

How to do an HIV test to find out your turkey is infected with a delphi?

Open the Source \ Rtl \ Sys folder in the installed Delphi. If during installation you did not change the path, then it (delphi) should live in Program Files : C: \ Program Files \ Borland \ Delphi7 \
We find the SysConst.pas file in this folder and nervously check the file size. It should be approximately 8 kb . If more or less, then they have already worked with him.

How to protect yourself?

You can set the Read-Only attribute on the files:

SysConst.pas from the Sys folder ( PATHDELPHI \ Source \ Rtl \ Sys )
SysConst.dcu from the Lib folder ( PATHDELPHI \ Lib )

How to cure?

Replace SysConst.pas from the same Sys folder ( PATHDELPHI \ Source \ Rtl \ Sys ) with the one from this archive.
Also replace the SysConst.dcu file in the Lib folder ( PATHDELPHI \ Lib )

Well, that’s it. Also, in order to avoid reinfection, I strongly recommend not to run your old compiled .exe files, but simply open the source code again and recompile once again.

Successful expulsion of the virus and safe connections!