I accidently ran across this article today and just for the h*** of it scanned my Delphi 5 folder.
Lo and behold, there it was. Instant panic mode, but luckily none of my compiled executables had been infected yet, so nothing bad has left my shop.
Virus scanned all my volumes and found it in two products: 3DImageCommander and IconCommander.
Heads up everyone. A good reason to do a complete virus scan more frequently. My Delphi must have been infected before the virus hit the Avast! database.
W32/Induc-A virus infects Delphi sysconst.dcu
Moderators: Hacker, petermad, Stefan2, white
W32/Induc-A virus infects Delphi sysconst.dcu
Licensed, Mouse-Centric, moving (slowly) toward Touch-centric
-
fenix_productions
- Power Member
- Posts: 1979
- Joined: 2005-08-07, 13:23 UTC
- Location: Poland
- Contact:
2ZeLen1y
I think it's a false alarm in your case. These plugins do not seem to be written in Delphi.
I've checked with few tools and each one of them reports UPX so this is rather old "stupid antivirus software" case.
I think it's a false alarm in your case. These plugins do not seem to be written in Delphi.
I've checked with few tools and each one of them reports UPX so this is rather old "stupid antivirus software" case.
"When we created the poke, we thought it would be cool to have a feature without any specific purpose." Facebook...
#128099
#128099
2fenix_productions
You think that Nod, DrWeb, Kaspersky or Symantec are "stupid antivirus software" ?
Online check:
http://www.virustotal.com/ru/analisis/ee48a5f0ed7cdf7f094b1beb1645beddbf918c75ceb5d405d8731d5419c0812c-1250675747
http://www.virustotal.com/ru/analisis/5303dcbed96986117132e89bb53f684f3ce5e5958a37d3c715291dc6fb6f72fe-1250675830
You think that Nod, DrWeb, Kaspersky or Symantec are "stupid antivirus software" ?
Online check:
http://www.virustotal.com/ru/analisis/ee48a5f0ed7cdf7f094b1beb1645beddbf918c75ceb5d405d8731d5419c0812c-1250675747
http://www.virustotal.com/ru/analisis/5303dcbed96986117132e89bb53f684f3ce5e5958a37d3c715291dc6fb6f72fe-1250675830
Hi, folks.
With respect to the download files wcx_ICLRead_1.4.1.zip and wlx_ICLView_5.5.2009.zip:
+ Kaspersky Online File Scan considers them both clean (today 12:30 METDST)
+ Our Symantec AV 10.1.5, definitions: 17.08.2009 considers them both clean.
Either of two assumptions will be true very likely:
Kind regards,
Karl
With respect to the download files wcx_ICLRead_1.4.1.zip and wlx_ICLView_5.5.2009.zip:
+ Kaspersky Online File Scan considers them both clean (today 12:30 METDST)
+ Our Symantec AV 10.1.5, definitions: 17.08.2009 considers them both clean.
Either of two assumptions will be true very likely:
- Kaspersky and our Symantec AV are both wrong and they files are infected.
- Kaspersky and Symantec are right, the files are clean. All those considering them infected have implemented their detection patterns for W32/Induc too carelessly.
Kind regards,
Karl
-
ghisler(Author)
- Site Admin
- Posts: 50383
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Thanks for the warning, I will inform the developer of these plugins, and the webmaster of wincmd.ru.
Btw, Total Commander itself isn't in danger - it's written in Delphi 2, which isn't affected by the virus. I didn't have any infected plugins installed either, only older versions.
Btw, Total Commander itself isn't in danger - it's written in Delphi 2, which isn't affected by the virus. I didn't have any infected plugins installed either, only older versions.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
CopyToTabs and Tc_But_Exe TC addons and Mover.wcx are infected too. These files can be successfully treated by Kaspersky with latest virus bases.
Donate for Ukraine to help stop Russian invasion!
Ukraine's National Bank special bank account:
UA843000010000000047330992708
Ukraine's National Bank special bank account:
UA843000010000000047330992708
Tested and confirmed!DrShark wrote:CopyToTabs and Tc_But_Exe TC addons and Mover.wcx are infected too.
Karl
Uploaded files treated by Kaspersky:
http://www.multiupload.com/24CLO0IRS4
(mover.wcx from link above; CopyToTabs 4.2.6.5 and 5.0; TC_But_Exe)
http://www.multiupload.com/92ZK0UJY67
(CopyToTabs 5.5)
But its still recommend to wait for official updates from plugin & addon authors.
http://www.multiupload.com/24CLO0IRS4
(mover.wcx from link above; CopyToTabs 4.2.6.5 and 5.0; TC_But_Exe)
http://www.multiupload.com/92ZK0UJY67
(CopyToTabs 5.5)
But its still recommend to wait for official updates from plugin & addon authors.
Donate for Ukraine to help stop Russian invasion!
Ukraine's National Bank special bank account:
UA843000010000000047330992708
Ukraine's National Bank special bank account:
UA843000010000000047330992708
-
fenix_productions
- Power Member
- Posts: 1979
- Joined: 2005-08-07, 13:23 UTC
- Location: Poland
- Contact:
Yes. I consider each antivirus as stupid if it says that something is infected just because it is UPXed. I saw many threads on many boards about "infected" UPX. Even Wikipedia has some information about it.ZeLen1y wrote:2fenix_productions
You think that Nod, DrWeb, Kaspersky or Symantec are "stupid antivirus software" ?
It is also stupid the way I saw for few applications (i.e. Kaspersky):
- something is considered as dangerous,
- notice authors about false alert to get updated database,
- few updates later reported entry is removed and the same executable is "bad" once again.
There are no other words to name it.
"When we created the poke, we thought it would be cool to have a feature without any specific purpose." Facebook...
#128099
#128099
Enumerating the mistakes which AV producers have made and will make - there is no perfect AV product around - will not help preventing W32/Induc from spreading in the wild.
The point is that Delphi developers (Delphi v4 and higher) may be unknowingly distributing an infected Delphi unit inside everything they compile and link. (cf. Sophos on W32/Induc-A, Virus infects development environment)
No need to panic, but a good reason
+ to update the AV definition files and do a full system scan
+ to upload any download to Virustotal first in the near future
+ keep in mind that there is not the one-and-only AV product which will always be right
Kind regards,
Karl
--
<edit>
only changed some formatting details to emphasize the important details
</edit>
The point is that Delphi developers (Delphi v4 and higher) may be unknowingly distributing an infected Delphi unit inside everything they compile and link. (cf. Sophos on W32/Induc-A, Virus infects development environment)
No need to panic, but a good reason
+ to update the AV definition files and do a full system scan
+ to upload any download to Virustotal first in the near future
+ keep in mind that there is not the one-and-only AV product which will always be right
Kind regards,
Karl
--
<edit>
only changed some formatting details to emphasize the important details
</edit>
Last edited by karlchen on 2009-08-20, 08:53 UTC, edited 1 time in total.
-
Boofo
- Power Member
- Posts: 1431
- Joined: 2003-02-11, 00:29 UTC
- Location: Des Moines, IA (USA)
- Contact:
I'm not getting either one of those links to load. All I get is a white page.DrShark wrote:Uploaded files treated by Kaspersky:
http://www.multiupload.com/24CLO0IRS4
(mover.wcx from link above; CopyToTabs 4.2.6.5 and 5.0; TC_But_Exe)
http://www.multiupload.com/92ZK0UJY67
(CopyToTabs 5.5)
But its still recommend to wait for official updates from plugin & addon authors.
chmod a+x /bin/laden -- Allows anyone the permission to execute /bin/laden
How do I un-overwrite all my data?
User of Total Commander
#60471 Single user license
How do I un-overwrite all my data?
User of Total Commander
#60471 Single user license
Not confirmed with latest avira personal.DrShark wrote:CopyToTabs and Tc_But_Exe TC addons and Mover.wcx are infected too.
Single User Licence #201763