Event Log Explorer FP

[YoKenny]

@Milos

I have notified the author in the forum but no answer yet.

My Windows 7 system detected the infection this morning and removed Event Log Explorer.

[grog4444]

Avast is detecting the Win32:Induc for the Hide Folders program I'm using.
It's detecting it from the program I had installed, my zip backup for the program
that is a month old and the newest version when I try to download it from
FSPro Labs again.

[polonus]

Hi YoKenny,

I also had an infected recently updated version of Event Log Explorer because of Win32:Induc
Path: C:\Program Files\Event Log Explorer\elex.exe\[ASProtect]
I hope the developers of this Borland Delphi product will soon come up with an update of a clean version of the program. By the way is there an alternative to this Delphi program, that is not affected?
What affected tools are also reported. Some developers already updated their software.
If this is going to be a new trend this will be a major derailment and users won't like this.
There are certainly those that do not carry a good heart towards computers and the Internet as those B.M. moguls have been saying repeatedly that the Internet should not have been there in the first place,

polonus

[kalaybg]

Milos , thank you . I downloaded a new version and there was no problem installing it .

[YoKenny]

@polonus
I guess Glary Utilities uses the same infected compiler
http://forum.avast.com/index.php?topic=47764.msg402914#msg402914

[spg SCOTT]

@YoKenny (and Tech ):

They seem to have already solved this:
avast! blog >> Win32:Induc, new concept of file infector? >> Comments

EDIT:Hmmm... http://forum.avast.com/index.php?topic=47792.0

[spg SCOTT]

YoKenny,

Regarding Event log explorer,

I noticed you haven't got a response yet from the devs...

I don't use it but out of curiosity, I tried downloading it again, and got the following error:


So it has filtered through...

However, I downloaded it and scanned the .zip (context menu) and it was clean. I am not sure if they cleaned it or not but the web shield did alert to this download before...as you know...

Maybe someone from ALWIL could take a look?

There is no alert on the download anymore but no release changes so I am not too sure...

-Scott-

[YoKenny]

No alert by avast! but MSE refuses to let it install and no response from FSPro development but another person has reported the problem:
http://www.fspro.net/forum/viewtopic.php?t=1094

[Milos]

Hi,
regarding Event log explorer:
version 3.1 (build3.1.3.615) which is available on hxxp://www.eventlogxp.com/download/elex.zip and some other download servers is clean, but version 3.1 (build 3.1.2.595) RC1 which can be found on http://www.softpedia.com/progDownload/Event-Log-Explorer-Download-23718.html (link "External Mirror 1 - Beta" leads to hxxp://www.eventlogxp.com/download/elex31beta.zip) is infected (virustotal (whole setup package elex_setup.exe), virustotal (installed file elex.exe), you can check md5, sha1 or sha256 checksums).

[spg SCOTT]

Hi Milos,

Thanks for the update

I also found this page, while looking:
http://www.fspro.net/win32induc.html

I'm glad that there are at least some that are admitting it...

-Scott-

[polonus]

Hi malware fighters,

Solved the problem with Event Log Explorer and after a fresh download it just works normally again without a trace of Win 32: Induc.
It seemed the Borland Delphi incrowd knew about the existence of this file infector somewhat longer, a certain "douche" there launched the POC online and so it was found up in the wild. MS then flagged it and other av vendors followed put,

polonus

[YoKenny]

Seems like some "Krusty" character works at Microsoft because it still won't download for me.

[polonus]

Hi YoKenny,

I had to download a specific beta version of the program that was not flagged for the Borland Delphi file infector....Event Log Exlorer 1.4 (Build 1.4.1.263)Beta
Proof: http://www.virustotal.com/nl/analisis/76c56a57dc24a3a288f92dbd7f57ef422ce2af51d3ced36d3c67f07d80110809-1250975079

All the others I tried had the Win32 Induc virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable.
It has been around for months now, the POC was know in inner Borland Delphi developer circles, and some "douche" there put it online, so it was flagged after thus being found "in the wild" by MS and later Sophos, McAfee and other av followed put. Funny thing that even some malcreant's trojans in Delphi were affected.
The file infector did not have any payload at the time, but the working mechanism and the way that it can be succesful as a file infector to "infect" executables makes it too dangerous to ignore. File infectors is "old school virus" re-created as demonstrated by this one that is developer software related, and high risk file infectors like Virut etc.,

polonus

[YoKenny]

Where did you get Event Log Exlorer 1.4 (Build 1.4.1.263)Beta

[polonus]

Hi YoKenny,

It was quite some search. Here is the link: http://download.chip.eu/nl/download_nl_804527.html
Checking: http://download.chip.eu/js/prototype.js
File size: 69.59 KB
File MD5: ed2d6608b0832c5e990e10729157b485

http://download.chip.eu/js/prototype.js - Ok

pol

P.S. Link for some MS info on specific log events:
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnf_msg_wjlu.asp
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=event+id+576&View=en-us
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=event+id+528&View=en-us

Damian