Virus.Win32.Induc.a in VideoGet von Nuclear-Coffee

#1 VideoGet ist ein Program um YouTube Videos und von mehr als 850 anderen Videowebsites herunter zu laden
http://nuclear-coffee.com/de/VideoGet

Derjenige die sich das Program gekauft haben sollten unbedingt die letzte version runterladen

Auch die Trail Version ist Infiziert
http://www.virustotal.com/nl/analisis/c723503fb0eaab8cd338dacf3775a5d1999f9a96f90d41195d3236077fd504cf-1250661759

VideoGet ist infiziert mit Virus.Win32.Induc.a
http://www.virustotal.com/nl/analisis/02acd7c1f68d49358fc98424ddb4beb275ccbdcb9c420b57535a029811ef8095-1250637189
__________
MfG Argus

#2 This virus is actually several months old and all AV companies were blind.

Why?

Till now, file infectors (like Virut, Sality, Parite, …) have modified executable files on the victim’s machine. They appended their body and changed the entry point – “thats all”. Win32:Induc is different. The infected file looks for the Borland Delphi compiler on the victim’s machine. If Delphi is found, the source file SysConst.pas is replaced by a malicious one and is compiled into SysConst.dcu. Each new build (using SysConst.dcu – practically all) of any Delphi project on an infected machine produces an infected file. This malware is produced by “white” programmers without their permission. Many files are digitally signed and distributed globally through download servers.
A few statistics: A few hours after VPS update 090818-0 (contains detection Win32:Induc) we received hundreds of suspected “false positive alerts” – all of them were infected. In the last 12 hours (since VPS was released) avast! has found ~200 000 infected files.

http://blog.avast.com/2009/08/19/win32induc-new-concept-of-file-infector/



This infection has been discovered 2 days ago and all AV vendors add its detection into their virus databases because its flaged as ITW (In The Wild). But this infection may be old - no one know how old, but many software developers are infected and their software releases are infected too. Even it is signed it is infected! They were submitting infected copies to singing companies.
The problem is that it is new technique to infect - executable infects source code (one delphi library) - any program built with delphi on infected machine is infected too.
So you can get clean installation only! after software producer will be clean and will release absolutely new version. Or you may rollback to some old version which is not infected.


http://forum.avast.com/index.php?topic=47738.0
__________
MfG Argus

#3 Das ging durch alle "blogs" und co. Fing bei Kaspersky an, ueber heise usw...

http://www.heise.de/security/Virus-infiziert-Entwicklungsumgebung-Update--/news/meldung/143679
http://www.viruslist.com/en/weblog?weblogid=208187826

Interessanter und erschreckender Ansatz. Bin gespannt, wann die erste Malware dieser Art mit Schadpotential auftaucht...
__________
MfG Ralf
SEO-Spam Hunter