Enigma Protector

I'm getting a burst of complaints about my protected dll being infected with a virus (Win32/Induc.A) after ESET updated their virus database yesterday. Only ESET and Nod32 (which apparently use the same database??) are complaining; McAfee, Norton, Rising Sun, and Fprot report everything as clean. But you should probably double-check things on your end.

ESET writes this in their blog :

---------------------

Nowadays we see lots of malicious software that is designed to steal money and information. A new virus was recently discovered that seems to be all about proving a concept rather than blatant maliciousness.

The Win32/Induc.A virus does not infect like most viruses do. Delphi is a programming language. Induc infected the Delphi IDE so that when the programmers compile their programs the programs are already infected.

As far as we are able to determine at this time, this virus went undetected since April 2009. Most of the samples of infected files we have seen are other trojans, mainly those that steal bank information. So, we detected the Trojan, but didn’t know that it was also infected.

For the average user the virus is essentially harmless. The problem is that some software development companies use Delphi, got infected, and when we added detection for Win32/Induc.A their programs were detected. Some of these companies accused ESET of having false positives when their programs were actually infected!

In reviewing our internal malware collections our researchers have found over 4,000 infected samples. Our Threatsense.Net network has identified over 30,000 unique infected samples in the first 24 hours after we added detection.

For a write up about this virus you can visit http://www.eset.eu/encyclopaedia/win32- ... rus?lng=en

Ironically, some other malicious software that was previously undetected by antivirus vendors will now be detected because it is infected with Induc.A!

It’s pretty rare now to be able to talk about a widespread virus that probably won’t cause you any harm.

Randy Abrams
Director of Technical Education

---------------------------

Let me know if you need any more info.

Rex Conn
JP Software

Some more info:

A check at VirusTotal shows that 6 scanners (BitDefender, Microsoft, NOD32, Panda and VirusBuster) detect my protected dll as containing Win32.Induc.A:

https://www.virustotal.com/analisis/81a ... 1250772168

Rex

Hi Rex, yes, I knew about this stuff!
Enigma is clear, there is the latest results with the file protected with Enigma 1.76 Build 20090818
There is protected notepad (only 5 false positives):
http://www.virustotal.com/ru/analisis/a ... 1250773912

Try the latest version, if the false still present, I will immediately contact to av developers!

rconn wrote:Only ESET and Nod32 (which apparently use the same database??)

Rex: just FYI, "ESET" is the (Slovakian) company, and "NOD32" is their antivirus product. They also have a combined anti-everything+firewall product, called "ESET Smart Security" aka ESS. The all-in-one product uses the same antivirus engine.

Mr. Enigma Author: it looks like some antivirus vendors are quite fast at creating new detections, but unfortunately they also make mistakes. For example, I have downloaded the demo version of Enigma Protector, and sent the file enigma32.exe to VirusTotal, to have it scanned by a bunch of antivirus programs:

https://www.virustotal.com/analisis/a8a ... 1250788035

As you can see, some of these scanners think it is infected with Win32.Induc.A, so you might want to contact their authors, if they keep on mis-detecting.

Hello Rex,

The Win32/Induc.A virus has an interesting characteristic: If it finds Delphi 4-7 on a computer, it adds its code to any new projects created on the computer.

I am guessing that at some point your(Rex) computer was infected by the virus, which is why you or your client are seeing a report from NOD32 when you try to build an .EXE file.
How Solve?
The main culprit is sysconst.dcu! Please replace sysconst.bak to sysconst.dcu.
Which is basically reside on C:\Program Files\Borland\Delphi7\Lib
W32/Induc-A searches computers for installations of Delphi, then attempts to modify SysConst.pas and hence infect SysConst.dcu. The original SysConst.dcu can be restored from the backup made by the virus in SysConst.bak.

Your problem purely solve if you maintain this process!!!

Thanks for replies guys!

Yes, sometimes antiviruses drive me crazy. This is often problems of each protector. False positives occur sometimes and seem there is no ideal decision to solve this.

Contact to NOD32? I already did this, it support was not very glad to read my email, and was not very fast to reply. I got simple replies after 2-3 days after I sent email. But will try again.

To my mind, last days some antivirus companies decide to detect EVERYTHING as virus, and do exceptions only for really tested and trusted files. If you upload any simple executable file to virustotal, you will get amazing results, few av will detect viruses! Frustrating that not all antivirus companies have good research teams, but anyway, there are really good AV!

prasid wrote:Hello Rex,

The Win32/Induc.A virus has an interesting characteristic: If it finds Delphi 4-7 on a computer, it adds its code to any new projects created on the computer.

I am guessing that at some point your(Rex) computer was infected by the virus, which is why you or your client are seeing a report from NOD32 when you try to build an .EXE file.
How Solve?
The main culprit is sysconst.dcu! Please replace sysconst.bak to sysconst.dcu.
Which is basically reside on C:\Program Files\Borland\Delphi7\Lib
W32/Induc-A searches computers for installations of Delphi, then attempts to modify SysConst.pas and hence infect SysConst.dcu. The original SysConst.dcu can be restored from the backup made by the virus in SysConst.bak.

Your problem purely solve if you maintain this process!!!

That's definitely NOT my problem -- I don't have any version of Delphi on my computer, nor have I ever had any version of Delphi on my computer. (I do all my development in VC++.)

I believe (not certain about this) that Enigma Protector is written in Delphi, and a few of the antivirus apps have gotten suddenly hysterical over Win32/Induc.A & anything written with Delphi. If I run Enigma a couple of times, it will generate a version of the protected dll that none of the antivirus apps complain about. So either:

(a) The antivirus apps were right initially and are all suddenly stupid in failing to recognize a virus in the app a second time, or
(b) The antivirus apps were wrong initially & reported a false positive.

I suspect (b) is the likelier answer.

Rex

Yes prasid, this is the best answer for Delphi users!
Also my DLL (in VC++) don't give any false+ alert after protecting with Enigma...
Thanks prasid...lot

What complacency! Firstly note that good AV companies are reporting that, while everyone thinks these W32/Induc reports are false positives, they are not! At least this time, some AV companies are right.

However, looking at the virustotal results for that enigma32.exe scan, have to say the companies that detect it aren't the ones i most trust. The fact that the ones i trust dont detect it means, for me, that the jury is still out on enigma32.exe.

Some of you need to read up more about how this Induc Virus works:

Infected files dont directly infect other executables. Instead they infect Delphi development environments, so that everything subsequently compiled with Delphi is infected.

So, even if some component of enigma protecter is infected and you use engima to protect your file, it wont infect your file... unless enigma includes some infected runtime dll alongside your file? I have not investigated Enigma itself to know.

But ... if you use Delphi, and you run an infected copy of Enigma, then your Delphi will become infected, and from then on every file you compile with it will be infected.

Ironically, if you protect an infected file with Enigma then some AV companies might no longer be able to see inside the file to detect Induc. In that case they wont detect your protected file with a normal scan, but it will still be infected! So, in the earlier post with (a) and (b) conjectures, (a) is actually the most likely scenario!

The poster before me really needs to take note of that. You say you protected your file and it is no longer detected... implying that it was detected before? If so then the file has an Induc infection!

Note that reporting of things other than Induc (e.g. Maximus trojan or whatever) on files protected with Enigma are an entirely separate and independent issue. Some AV companies detect everything protected that they cant see inside as suspicious. Whether enigma32.exe is infected with W32/Induc or not is a separate, and still open question.

Mr Enigma, there is an easy way to tell: If you use Delphi, then search for the file SysConst.dcu. Is there also a file SysConst.bak in the same folder? Or did you at any point find and remove such a SysConst.bak?