Total Commander Forum Index Total Commander
Forum - Public Discussion and Support
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

W32/Induc-A virus infects Delphi sysconst.dcu
Goto page 1, 2, 3  Next
 
Post new topic   Reply to topic    Total Commander Forum Index -> Plugins and addons: devel.+support (English) Printable version
View previous topic :: View next topic  
Author Message
JohnFredC
Power Member
Power Member


Joined: 14 Mar 2003
Posts: 764
Location: Sarasota & Winter Springs Florida

PostPosted: Tue Aug 18, 2009 8:44 pm    Post subject: W32/Induc-A virus infects Delphi sysconst.dcu Reply with quote

I accidently ran across this article today and just for the h*** of it scanned my Delphi 5 folder.

Lo and behold, there it was. Instant panic mode, but luckily none of my compiled executables had been infected yet, so nothing bad has left my shop.

Virus scanned all my volumes and found it in two products: 3DImageCommander and IconCommander.

Heads up everyone. A good reason to do a complete virus scan more frequently. My Delphi must have been infected before the virus hit the Avast! database.
_________________
Licensed, Mouse-Centric
Back to top
View user's profile Send private message Send e-mail
ZeLen1y
Junior Member
Junior Member


Joined: 27 Jun 2009
Posts: 22

PostPosted: Tue Aug 18, 2009 10:58 pm    Post subject: Reply with quote

Plugins infected in my tc folder Rolling Eyes
· ICLRead 1.4.wcx
· ICLView 5.5.2009.wlx
_________________
p.s. sry for my english +_+
Back to top
View user's profile Send private message
fenix_productions
Power Member
Power Member


Joined: 07 Aug 2005
Posts: 1584
Location: Poland

PostPosted: Wed Aug 19, 2009 2:07 am    Post subject: Reply with quote

2ZeLen1y
I think it's a false alarm in your case. These plugins do not seem to be written in Delphi.

I've checked with few tools and each one of them reports UPX so this is rather old "stupid antivirus software" case.
_________________
"When we created the poke, we thought it would be cool to have a feature without any specific purpose." Facebook...

#128099
Back to top
View user's profile Send private message Send e-mail Visit poster's website
ZeLen1y
Junior Member
Junior Member


Joined: 27 Jun 2009
Posts: 22

PostPosted: Wed Aug 19, 2009 3:55 am    Post subject: Reply with quote

2fenix_productions
You think that Nod, DrWeb, Kaspersky or Symantec are "stupid antivirus software" ? Shocked

Online check:
http://www.virustotal.com/ru/analisis/ee48a5f0ed7cdf7f094b1beb1645beddbf918c75ceb5d405d8731d5419c0812c-1250675747
http://www.virustotal.com/ru/analisis/5303dcbed96986117132e89bb53f684f3ce5e5958a37d3c715291dc6fb6f72fe-1250675830
_________________
p.s. sry for my english +_+
Back to top
View user's profile Send private message
karlchen
Power Member
Power Member


Joined: 06 Feb 2003
Posts: 2432
Location: Germany

PostPosted: Wed Aug 19, 2009 4:40 am    Post subject: Reply with quote

Hi, folks.

With respect to the download files wcx_ICLRead_1.4.1.zip and wlx_ICLView_5.5.2009.zip:
+ Kaspersky Online File Scan considers them both clean (today 12:30 METDST)
+ Our Symantec AV 10.1.5, definitions: 17.08.2009 considers them both clean.

Either of two assumptions will be true very likely:
  • Kaspersky and our Symantec AV are both wrong and they files are infected.
  • Kaspersky and Symantec are right, the files are clean. All those considering them infected have implemented their detection patterns for W32/Induc too carelessly.

Time will tell which of the two assumptions is right and which one is wrong.

Kind regards,
Karl
Back to top
View user's profile Send private message Send e-mail
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 16108
Location: Switzerland

PostPosted: Wed Aug 19, 2009 4:52 am    Post subject: Reply with quote

Thanks for the warning, I will inform the developer of these plugins, and the webmaster of wincmd.ru.

Btw, Total Commander itself isn't in danger - it's written in Delphi 2, which isn't affected by the virus. I didn't have any infected plugins installed either, only older versions.
_________________
Author of Total Commander
http://www.ghisler.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website
DrShark
Senior Member
Senior Member


Joined: 03 Nov 2006
Posts: 356
Location: Kyiv, Ukraine

PostPosted: Wed Aug 19, 2009 9:39 am    Post subject: Reply with quote

CopyToTabs and Tc_But_Exe TC addons and Mover.wcx are infected too. These files can be successfully treated by Kaspersky with latest virus bases.
_________________
Vista Home Premium SP2 rus 32 bit
TC #149847 Personal licence
Back to top
View user's profile Send private message
karlchen
Power Member
Power Member


Joined: 06 Feb 2003
Posts: 2432
Location: Germany

PostPosted: Wed Aug 19, 2009 9:48 am    Post subject: Reply with quote

DrShark wrote:
CopyToTabs and Tc_But_Exe TC addons and Mover.wcx are infected too.

Tested and confirmed! Shocked

Karl
Back to top
View user's profile Send private message Send e-mail
Boofo
Power Member
Power Member


Joined: 10 Feb 2003
Posts: 1320
Location: Des Moines, IA (USA)

PostPosted: Wed Aug 19, 2009 10:03 am    Post subject: Reply with quote

2ZeLen1y
I run Symantec and have gotten no such errors.
_________________
chmod a+x /bin/laden -- Allows anyone the permission to execute /bin/laden

How do I un-overwrite all my data?

User of Total Commander
#60471 Single user license
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Horst.Epp
Senior Member
Senior Member


Joined: 06 Feb 2003
Posts: 446
Location: Germany

PostPosted: Wed Aug 19, 2009 11:06 am    Post subject: Reply with quote

Boofo wrote:
2ZeLen1y
I run Symantec and have gotten no such errors.

Kapersky ist not alone.
Avira Antivir finds it and also Sophos.
So don't wait until your Symantex finds it to.
Back to top
View user's profile Send private message
DrShark
Senior Member
Senior Member


Joined: 03 Nov 2006
Posts: 356
Location: Kyiv, Ukraine

PostPosted: Wed Aug 19, 2009 11:25 am    Post subject: Reply with quote

Uploaded files treated by Kaspersky:
http://www.multiupload.com/24CLO0IRS4
(mover.wcx from link above; CopyToTabs 4.2.6.5 and 5.0; TC_But_Exe)
http://www.multiupload.com/92ZK0UJY67
(CopyToTabs 5.5)
But its still recommend to wait for official updates from plugin & addon authors.
_________________
Vista Home Premium SP2 rus 32 bit
TC #149847 Personal licence
Back to top
View user's profile Send private message
fenix_productions
Power Member
Power Member


Joined: 07 Aug 2005
Posts: 1584
Location: Poland

PostPosted: Wed Aug 19, 2009 1:09 pm    Post subject: Reply with quote

ZeLen1y wrote:
2fenix_productions
You think that Nod, DrWeb, Kaspersky or Symantec are "stupid antivirus software" ? Shocked

Yes. I consider each antivirus as stupid if it says that something is infected just because it is UPXed. I saw many threads on many boards about "infected" UPX. Even Wikipedia has some information about it.

It is also stupid the way I saw for few applications (i.e. Kaspersky):
- something is considered as dangerous,
- notice authors about false alert to get updated database,
- few updates later reported entry is removed and the same executable is "bad" once again.

There are no other words to name it.
_________________
"When we created the poke, we thought it would be cool to have a feature without any specific purpose." Facebook...

#128099
Back to top
View user's profile Send private message Send e-mail Visit poster's website
karlchen
Power Member
Power Member


Joined: 06 Feb 2003
Posts: 2432
Location: Germany

PostPosted: Wed Aug 19, 2009 2:46 pm    Post subject: Reply with quote

Enumerating the mistakes which AV producers have made and will make - there is no perfect AV product around - will not help preventing W32/Induc from spreading in the wild.

The point is that Delphi developers (Delphi v4 and higher) may be unknowingly distributing an infected Delphi unit inside everything they compile and link. (cf. Sophos on W32/Induc-A, Virus infects development environment)

No need to panic, but a good reason
+ to update the AV definition files and do a full system scan
+ to upload any download to Virustotal first in the near future
+ keep in mind that there is not the one-and-only AV product which will always be right


Kind regards,
Karl
--
<edit>
only changed some formatting details to emphasize the important details
</edit>


Last edited by karlchen on Thu Aug 20, 2009 2:53 am; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
Boofo
Power Member
Power Member


Joined: 10 Feb 2003
Posts: 1320
Location: Des Moines, IA (USA)

PostPosted: Wed Aug 19, 2009 4:26 pm    Post subject: Reply with quote

DrShark wrote:
Uploaded files treated by Kaspersky:
http://www.multiupload.com/24CLO0IRS4
(mover.wcx from link above; CopyToTabs 4.2.6.5 and 5.0; TC_But_Exe)
http://www.multiupload.com/92ZK0UJY67
(CopyToTabs 5.5)
But its still recommend to wait for official updates from plugin & addon authors.

I'm not getting either one of those links to load. All I get is a white page.
_________________
chmod a+x /bin/laden -- Allows anyone the permission to execute /bin/laden

How do I un-overwrite all my data?

User of Total Commander
#60471 Single user license
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
ouzoWTF
Junior Member
Junior Member


Joined: 20 Apr 2009
Posts: 84

PostPosted: Wed Aug 19, 2009 6:14 pm    Post subject: Reply with quote

DrShark wrote:
CopyToTabs and Tc_But_Exe TC addons and Mover.wcx are infected too.

Not confirmed with latest avira personal.
_________________
Single User Licence #201763
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Total Commander Forum Index -> Plugins and addons: devel.+support (English) All times are GMT - 6 Hours
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Impressum: This site is maintained by Ghisler Software GmbH

Using phpBB © 2001-2005 phpBB Group