Avast WEBforum
Other => Viruses and worms => Topic started by: YoKenny on August 19, 2009, 01:43:33 AM
-
I have used Event Log Explorer for ages on XP and now avast! detects it
8/18/2009 7:13:01 PM SYSTEM 1704 Sign of "Win32:Induc" has been found in "http://www.eventlogxp.com/download/elex.zip\elex_setup.exe\{app}\elex.exe\[ASProtect]" file.
What is really weird is that Microsoft Security Essentials (MSE) is detecting it also:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fInduc.A&threatid=2147627628
I reported it on their forum:
http://www.fspro.net/forum/viewtopic.php?t=1094
-
I presume you sent it to ALWIL? ;)
-
I presume you sent it to ALWIL? ;)
My memory fails me so can you refresh it for me.
When I visit the Event Log Explorer download site to get the zip file avast! warns me with a pop up but I don't see how to send it to ALWIL.
-
You can click on the report as false positive at the bottom right of the alert.
-
You would need to pause the web shield to be able to download it and take no action if the standard shield alerts, it shouldn't on the zip file but would when you try to extract it.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If you can pause the standard and copy the file to that location, enable the standard shield again.
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first.
####
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
-
Detected by:
Avast 4.8.1335.0 2009.08.18 Win32:Induc
GData 19 2009.08.19 Win32:Induc
Microsoft 1.4903 2009.08.18 Virus:Win32/Induc.A
http://www.virustotal.com/analisis/70eaf33d574f0fa749ff28ab089402035be789913f20917be23aefbb8e522245-1250657939
I sent the file from the Chest I think.
-
Hi,
Win32:Induc was added yesterday (VPS 090818-0) and it is found in files compiled with Delphi (it infects systems with installed Delphi), so everything compiled with infected Delphi is infected too. So files are infected before these files are signed, so they heave valid sign.
Milos
-
Hi,
Win32:Induc was added yesterday (VPS 090818-0) and it is found in files compiled with Delphi (it infects systems with installed Delphi), so everything compiled with infected Delphi is infected too. So files are infected before these files are signed, so they heave valid sign.
Milos
How do we delete it ?? I woke up this morning and thought what a beautiful day ! BUT NO ! AIMP2 doesn't work , Kmplayer doesn't work . Fear to run skype because it may not work too . I deleted the infected files and then uninstalled the programs . I ran avast to scan and it found something in the registers , i deleted it . Then reinstalled aimp2 and it found Win32:Induc.a again :( . I am running full online Kaspersky scan .
I sent the inflicted .dll as a false alert , dunno why .
So this virus does nothing but just multiply and infect delphi programs ?
-
@ kalaybg
no problems for me with aimp2 and avast.
-
Hi,
Win32:Induc was added yesterday (VPS 090818-0) and it is found in files compiled with Delphi (it infects systems with installed Delphi), so everything compiled with infected Delphi is infected too. So files are infected before these files are signed, so they heave valid sign.
Milos
How do we delete it ?? I woke up this morning and thought what a beautiful day ! BUT NO ! AIMP2 doesn't work , Kmplayer doesn't work . Fear to run skype because it may not work too . I deleted the infected files and then uninstalled the programs . I ran avast to scan and it found something in the registers , i deleted it . Then reinstalled aimp2 and it found Win32:Induc.a again :( . I am running full online Kaspersky scan .
I sent the inflicted .dll as a false alert , dunno why .
So this virus does nothing but just multiply and infect delphi programs ?
Hi,
it infects installed Delphi, so only new compiled programs are infected, it doesn't infect other existing .exe (including .exe compiled with Delphi).
I hope that my explanation is more clear.
Milos
-
No Milosh , how do i get rid of it forever and ever .
[img=http://img134.imageshack.us/img134/336/avast.jpg] (http://img134.imageshack.us/i/avast.jpg/)
Look at the screenshot , I used delete(the second left to right ) , so it deletes the AIMP2.dll . But then i need to reinstall AIMP2 , when i reinstall it , the same window pops up telling me that the .dll is infected . I read on russian sites that same thing happens to QIP .
-
Hi,
it infects installed Delphi, so only new compiled programs are infected, it doesn't infect other existing .exe (including .exe compiled with Delphi).
I hope that my explanation is more clear.
Milos
I do not have Delphi compiler.
Event Log Explorer has been running fine on my system for as long as I have had avast! so the latest database update File version 090818-0 is detecting an existing .exe file in elex.exe ehich is the main executable of Event Log Explorer.
I am running a Microsoft Security Esentials Quick Scan right now after a database update and will post its results when finished.
-
No Milosh , how do i get rid of it forever and ever .
[img=http://img134.imageshack.us/img134/336/avast.jpg] (http://img134.imageshack.us/i/avast.jpg/)
Look at the screenshot , I used delete(the second left to right ) , so it deletes the AIMP2.dll . But then i need to reinstall AIMP2 , when i reinstall it , the same window pops up telling me that the .dll is infected . I read on russian sites that same thing happens to QIP .
Hi,
uninstall AIMP2 and download some which is not infected -- this mean wait while author disinfect his Delphi and compile AIMP2 again.
Milos
-
Hello Guys,
This infection has been discovered 2 days ago and all AV vendors add its detection into their virus databases because its flaged as ITW (In The Wild). But this infection may be old - no one know how old, but many software developers are infected and their software releases are infected too. Even it is signed it is infected! They were submitting infected copies to singing companies.
The problem is that it is new technique to infect - executable infects source code (one delphi library) - any program built with delphi on infected machine is infected too.
So you can get clean installation only! after software producer will be clean and will release absolutely new version. Or you may rollback to some old version which is not infected.
Regards
-
Hi,
it infects installed Delphi, so only new compiled programs are infected, it doesn't infect other existing .exe (including .exe compiled with Delphi).
I hope that my explanation is more clear.
Milos
I do not have Delphi compiler.
Event Log Explorer has been running fine on my system for as long as I have had avast! so the latest database update File version 090818-0 is detecting an existing .exe file in elex.exe ehich is the main executable of Event Log Explorer.
I am running a Microsoft Security Esentials Quick Scan right now after a database update and will post its results when finished.
Hi,
author of Event Log Explorer uses infected Delphi.
Milos
-
@Milos
I have notified the author in the forum but no answer yet.
My Windows 7 system detected the infection this morning and removed Event Log Explorer.
-
Avast is detecting the Win32:Induc for the Hide Folders program I'm using.
It's detecting it from the program I had installed, my zip backup for the program
that is a month old and the newest version when I try to download it from
FSPro Labs again.
-
Hi YoKenny,
I also had an infected recently updated version of Event Log Explorer because of Win32:Induc
Path: C:\Program Files\Event Log Explorer\elex.exe\[ASProtect]
I hope the developers of this Borland Delphi product will soon come up with an update of a clean version of the program. By the way is there an alternative to this Delphi program, that is not affected?
What affected tools are also reported. Some developers already updated their software.
If this is going to be a new trend this will be a major derailment and users won't like this.
There are certainly those that do not carry a good heart towards computers and the Internet as those B.M. moguls have been saying repeatedly that the Internet should not have been there in the first place,
polonus
-
Milos , thank you . I downloaded a new version and there was no problem installing it .
-
@polonus
I guess Glary Utilities uses the same infected compiler ???
http://forum.avast.com/index.php?topic=47764.msg402914#msg402914
-
@YoKenny (and Tech ;)):
They seem to have already solved this:
avast! blog >> Win32:Induc, new concept of file infector? >> Comments (http://blog.avast.com/2009/08/19/win32induc-new-concept-of-file-infector/#comment-953)
EDIT:Hmmm... http://forum.avast.com/index.php?topic=47792.0
-
YoKenny,
Regarding Event log explorer,
I noticed you haven't got a response yet from the devs...
I don't use it but out of curiosity, I tried downloading it again, and got the following error:
(http://sites.google.com/site/spg20scottsweb/home/images/unsafe-download/screenshot.21-08-2009%2013.47.05.png)
So it has filtered through...
However, I downloaded it and scanned the .zip (context menu) and it was clean. I am not sure if they cleaned it or not but the web shield did alert to this download before...as you know...
Maybe someone from ALWIL could take a look?
There is no alert on the download anymore but no release changes so I am not too sure...
-Scott-
-
No alert by avast! but MSE refuses to let it install and no response from FSPro development but another person has reported the problem:
http://www.fspro.net/forum/viewtopic.php?t=1094
-
Hi,
regarding Event log explorer:
version 3.1 (build3.1.3.615) which is available on hxxp://www.eventlogxp.com/download/elex.zip and some other download servers is clean, but version 3.1 (build 3.1.2.595) RC1 which can be found on http://www.softpedia.com/progDownload/Event-Log-Explorer-Download-23718.html (link "External Mirror 1 - Beta" leads to hxxp://www.eventlogxp.com/download/elex31beta.zip) is infected (virustotal (whole setup package elex_setup.exe) (http://www.virustotal.com/analisis/2092d3eb8a04ef08a1fa5b816eff31136275f1da93272456669cf85d939214e0-1250863997), virustotal (installed file elex.exe) (http://www.virustotal.com/analisis/65e0c1ca7b4427a29a39276dd30d238c848a64dbacb6a13c42c09d615f0b80b8-1250864240), you can check md5, sha1 or sha256 checksums).
-
Hi Milos,
Thanks for the update :)
I also found this page, while looking:
http://www.fspro.net/win32induc.html
I'm glad that there are at least some that are admitting it...
-Scott-
-
Hi malware fighters,
Solved the problem with Event Log Explorer and after a fresh download it just works normally again without a trace of Win 32: Induc.
It seemed the Borland Delphi incrowd knew about the existence of this file infector somewhat longer, a certain "douche" there launched the POC online and so it was found up in the wild. MS then flagged it and other av vendors followed put,
polonus
-
Seems like some "Krusty" character works at Microsoft because it still won't download for me.
-
Hi YoKenny,
I had to download a specific beta version of the program that was not flagged for the Borland Delphi file infector....Event Log Exlorer 1.4 (Build 1.4.1.263)Beta
Proof: http://www.virustotal.com/nl/analisis/76c56a57dc24a3a288f92dbd7f57ef422ce2af51d3ced36d3c67f07d80110809-1250975079
All the others I tried had the Win32 Induc virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable.
It has been around for months now, the POC was know in inner Borland Delphi developer circles, and some "douche" there put it online, so it was flagged after thus being found "in the wild" by MS and later Sophos, McAfee and other av followed put. Funny thing that even some malcreant's trojans in Delphi were affected.
The file infector did not have any payload at the time, but the working mechanism and the way that it can be succesful as a file infector to "infect" executables makes it too dangerous to ignore. File infectors is "old school virus" re-created as demonstrated by this one that is developer software related, and high risk file infectors like Virut etc.,
polonus
-
Where did you get Event Log Exlorer 1.4 (Build 1.4.1.263)Beta ???
-
Hi YoKenny,
It was quite some search. Here is the link: http://download.chip.eu/nl/download_nl_804527.html
Checking: http://download.chip.eu/js/prototype.js
File size: 69.59 KB
File MD5: ed2d6608b0832c5e990e10729157b485
http://download.chip.eu/js/prototype.js - Ok
pol
P.S. Link for some MS info on specific log events:
http://support.microsoft.com/default.aspx?scid=kb;en-us;174074
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnf_msg_wjlu.asp
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=event+id+576&View=en-us
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=event+id+528&View=en-us
Damian