August 22, 2009

How to Stop W32/Induc-A Virus (or the Delphi Virus)

While information about the W32/Induc-A Virus (or Delphi Virus) keep spreading, it might be worth focusing on how to stop the virus from spreading.

Information about the W32/Induc-A Virus (or Delphi Virus) keep spreading, including lots of misconceptions:

  • New virus spreads by attacking Borland compiler fails to notice that Borland is now gone, that the virus attacks a very old version of Delphi, but it is correct in assessing the millions of program with this virus now in the wild
  • Blog posts like "are your worried" and "2nd threat" from members of the Delphi community are certainly more on focus
  • I was also contacted by a few developer who were hit by the virus. Several companies could not work as some of their business processing software was sent to quarantine due to the fact that the virus signiture was added to their anti-virus database (the software was already on their computers, but not considered harmful). Now the virus itself is not dangerous, but its effect can be very negative, as in the case just mentioned.

Embarcadero is well aware of the problem (see again Allen Bauer post) and will probably deliver a formal solution to address it, but I feel it is worth to address the problem right away. I'll cover again how to figure out if your computer is infected (based on accounts by others, since I didn't have the experience myself) and also suggest a couple of ways to avoid the problem to repeat.

Are you infected?

Other than checking if you have on your computer applications with the virus, or even an empty project you compile has it, to figure out if you are infected you can look into the lib folder of your Delphi 5, 6, or 7 installation (maybe also 4, some source mentioned 8, but that was the .NET version, so it doesn't pertain). In this folder you'll have a modified SysConst.dcu (but apparently with the same timestamp of the original) and a SysCont.bak, a backup copy of the original source code file. You can restore the proper SysConts.dcu from the original Delphi distribution disk (rather than reinstalling, you can copy the file from the installation image taht old versions used to offer right on the CD).

How to Prevent an Infection

Even if you cure your installation, you might have a program on your system (or downlaod a new one with the virus) that causes the same problem again. So beside curing the problem, even in case your system is not infected, you might want to prevent any future problem. I'm worried that so many news about this virus might push other developes to clone the idea!

As the virus has to compile itself into the DCU format, it calls the command line compiler, something most developers seldom use. So a very good solution to avoid the virus from attacking your Delphi is to move the your DCC32.EXE to another directory from the \bin directory of your Delphi installation , where the virus looks for it to compile the modified source code of the unit. A change in the source WITHOUT RECOMPILING will not activate the virus. Stopping the virus from finding the command line compiler in the first place is a very good defense about this and similar future threats.

Another option, very specific to how this virus behaves, is to add (or keep) the SysCont.bak file in the /lib folder. The virus in fact seems to look for this file to check if the system is already infected. If it is, it simply won't do anything.

A different line of defense, which is way more robust and will help you also in the future, is to prevent any application from writing in your lib folder without permission . This is probably already the case if you installed Delphi 7 on Windows Vista. Despite the fact you might dislike Windows file system protection and the User Account Control, a similar mechanism that prevents any program from modifying anything under Program Files would defeat any virus behaving like that. You can at least mark the dcu files in the lib folder readonly.

So it is partially true that newer versions of Delphi don't have a specific feature to prevent similar infections in the future, but the current version of the operating system has enough protection to prevent it. If you have Delphi 7 and run it on Vista, you might have to loosen the access permission to some folders (including the bin folder in which Delphi 6 and 7 write some of the desktop setting files). But if you have newer version of Delphi (since Delphi 2007) which is installed in a Vista friendly way, you can keep full permissions and UAC on and prevent changes to your compiler and library files. I generally don't even run Delphi itself as administrator, as it behaves fine with the standard user permissions, and this makes sure that even while using the IDE legitimately I cannot by mistake update one the the compiled system libraries.

Waiting for official Embarcadero guidlines, I hope this helps dispell some more myths and provide a couple of simple tricks from stopping the virus. In summary: move your command line compiler, pretend your system already has the virus, and protect your library folder from accidental or malicious changes .

The positive element of this mess is that it should raise awareness of developers about security, make people realize how much Delphi is used, make manager want to stay on more up-to-date versions, but the fear is it might damage Delphi reputation. Stay tuned for more information and spread the word to your fellow Delphi developers.




How to Stop W32/Induc-A Virus or the Delphi Virus 

Marco! It's good to see you on top of this. I wish I
had a couple pages with some good Jim Carpenter
artwork to offer you for publishing these tips!
Comment by J.D. Hildebrand on August 22, 01:58

How to Stop W32/Induc-A Virus or the Delphi Virus 

The library path/search path is a per user option, so
the virus could change that (inserting a path to a
modified DCU) and still produce the same behavior as now.
This is also true with protected Program Files
directory in Vista.
Comment by Maël Hörz on August 22, 06:17


"fails to notice that Borland is now gone"

technically they are correct though. Delphi 4 to 7 
were Borland products.
Comment by Thomas Mueller [] on August 22, 08:43

How to Stop W32/Induc-A Virus or the Delphi Virus 

I suddenly wonder if this virus attack could also occur 
with other development languages of if it's just Delphi-
specific simply because Delphi provides easy access to 
the code of it's runtime libraries... 
Comment by Workshop Alex on August 22, 10:15

How to Stop W32/Induc-A Virus or the Delphi Virus 

Are you saying that, if there is no SysConst.BAK file 
on my system, then I do not have the virus ?
Comment by Olivier Beltrami [] on August 22, 14:18

How to Stop W32/Induc-A Virus or the Delphi Virus 

Thank you Marco, that's just the sort of simple,
plain-spoken and easy-to-follow advice I have been
hoping someone would post.
Comment by Cheryl Morgan [] on August 22, 14:27

How to Stop W32/Induc-A Virus or the Delphi Virus 

If I understand correctly, the life cycle of this 
virus is 1) some shareware developer downloads an 
infected program (i.e., other shareware), 2) he builds 
his own shareware and publishes it, 3) next one 
downloads his shareware and starts it, and so the 
infection goes next round. That is, the infection 
evolves really slow, with one "generation" perhaps in 
months, if not years.

Btw, it possibly explains the target version delphi 7 
- may be in the times of the generation one it was a 
very current version ;)

Perhaps it would be useful to identify the infection 
carriers with the goal to build the "genealogy" of the 
virus and to trace it back to the "roots"?
Comment by anthon on August 22, 16:41

How to Stop W32/Induc-A Virus or the Delphi Virus 


I think that setting read-only attribute can not help 
at all. Because, virus do not write into existing 
files. It renames dcu and creates new pas-file (it 
will be deleted after compilation). So, there is no 
point in setting read-only. But changing NTFS file 
permissions may help.

UAC in Vista (or working under non-admin in XP) is 
quite good protection. Well...  until you'll encounter 
infected setup (and setup is executed under 
administrator in 99% cases). So, this is a good 
option/bonus, but it alone is still not good enough.

The 100% reliable protection is to put \Lib and 
\Sources folder under anti-virus watch (I mean, some 
sort of "these-files-should-never-change" function).
Comment by GunSmoker [] on August 23, 11:24

How to Stop W32/Induc-A Virus or the Delphi Virus 

I think that virus authors have tried this infection 
procedure just to see its scope. 

also in the future a lot of virus makers will use 
this concept in their yards. 

It is a war of cat and mouse:)
Comment by STRELiTZIA | AT4RE on August 23, 15:21

How to Stop W32/Induc-A Virus or the Delphi Virus 

BTW, moving dcc32 is not enough either! :)

For example, virus can carry a compressed copy of 
already infected dcu-s (or only changes), and thus it 
can infect your Delphi without help from Delphi's 
compiler. I.e. all it do is makes a file copies. That's 

Again, the only 100% option is to put your Delphi's 
folder under full control. No virus can break this. All 
other ways are somehow limited. Special virus 
modifications can target them specifically.
Comment by GunSmoker [] on August 23, 17:33

How to Stop W32/Induc-A Virus or the Delphi Virus 

Moving or renaming the command line compiler will
break many installation programs which auto install
their components. This includes nearly all JEDI products!
If you have luck an installer tells you what the
problem ist. It is also possible that it just fails
and exits.
And then you have to remember the new location and
copy it back before the installer is executed. It is
not uncommon in times of 1TB disks that moved or
renamed files are never be found again :)

Comment by Christian Wimmer [] on August 24, 12:34

How to Stop W32/Induc-A Virus or the Delphi Virus 

I got this virus on my system(i don't know from 
where) but my av(avast) warned me after i compiled a 
program wich i worte line by line that i got a 
Anyhu i reinstalled a fresh copy of Win and Delphi 
and made  back up of dcu's and pas file so no 
worries, i check every now and then for the size of 
the dcu's, 1 of them must be 10 kb to be virus, you 
have 2 SysConst.dcu and both has 12 kb size.
Good Luck!
Comment by delphigeist [] on August 24, 15:04

GSA Delphi Induc Cleaner 

GSA has developed a freeware tool that could remove 
the Win32/Induc.A virus completely from executables 
and let you start them again without your anti virus 
complaining about it.
Comment by GSA [] on August 25, 16:33

How to Stop W32/Induc-A Virus or the Delphi Virus 

Thank you very much, GSA, for your free tool which 
helped me find an infected file on my machine and 
deal with it successfully. You beat Embarcadero to 
the punch, too! 
Comment by Joseph G. Mitzen on August 27, 20:40

How to Stop W32/Induc-A Virus or the Delphi Virus 

 Thank you so much GSA, your free removal help me very
well. Hope God Bless You
Comment by Ardy on September 12, 07:27

How to Stop W32/Induc-A Virus or the Delphi Virus 

So how do I tell if my SysConst.dcu file was 
modified if the file's datetime stamp doesn't get 
changed after infection?
Comment by ALP on November 23, 17:55

How to Stop W32/Induc-A Virus or the Delphi Virus 

It is Delphi2007.
Open Delphi2007,New Project:VCL Forms 
Application,Build, then Avast found a 
Comment by Avast Reports a virus in Blank VCL Forms Application on December 24, 10:28

Post Your Comment

Click here for posting your feedback to this blog.

There are currently 0 pending (unapproved) messages.