August 22, 2009
How to Stop W32/Induc-A Virus (or the Delphi Virus)
Information about the W32/Induc-A Virus (or Delphi Virus) keep spreading, including lots of misconceptions:
- New virus spreads by attacking Borland compiler fails to notice that Borland is now gone, that the virus attacks a very old version of Delphi, but it is correct in assessing the millions of program with this virus now in the wild
- Blog posts like "are your worried" and "2nd threat" from members of the Delphi community are certainly more on focus
- I was also contacted by a few developer who were hit by the virus. Several companies could not work as some of their business processing software was sent to quarantine due to the fact that the virus signiture was added to their anti-virus database (the software was already on their computers, but not considered harmful). Now the virus itself is not dangerous, but its effect can be very negative, as in the case just mentioned.
Embarcadero is well aware of the problem (see again Allen Bauer post) and will probably deliver a formal solution to address it, but I feel it is worth to address the problem right away. I'll cover again how to figure out if your computer is infected (based on accounts by others, since I didn't have the experience myself) and also suggest a couple of ways to avoid the problem to repeat.
Are you infected?
Other than checking if you have on your computer applications with the virus, or even an empty project you compile has it, to figure out if you are infected you can look into the lib folder of your Delphi 5, 6, or 7 installation (maybe also 4, some source mentioned 8, but that was the .NET version, so it doesn't pertain). In this folder you'll have a modified SysConst.dcu (but apparently with the same timestamp of the original) and a SysCont.bak, a backup copy of the original source code file. You can restore the proper SysConts.dcu from the original Delphi distribution disk (rather than reinstalling, you can copy the file from the installation image taht old versions used to offer right on the CD).
How to Prevent an Infection
Even if you cure your installation, you might have a program on your system (or downlaod a new one with the virus) that causes the same problem again. So beside curing the problem, even in case your system is not infected, you might want to prevent any future problem. I'm worried that so many news about this virus might push other developes to clone the idea!
As the virus has to compile itself into the DCU format, it calls the command line compiler, something most developers seldom use. So a very good solution to avoid the virus from attacking your Delphi is to move the your DCC32.EXE to another directory from the \bin directory of your Delphi installation , where the virus looks for it to compile the modified source code of the unit. A change in the source WITHOUT RECOMPILING will not activate the virus. Stopping the virus from finding the command line compiler in the first place is a very good defense about this and similar future threats.
Another option, very specific to how this virus behaves, is to add (or keep) the SysCont.bak file in the /lib folder. The virus in fact seems to look for this file to check if the system is already infected. If it is, it simply won't do anything.
A different line of defense, which is way more robust and will help you also in the future, is to prevent any application from writing in your lib folder without permission . This is probably already the case if you installed Delphi 7 on Windows Vista. Despite the fact you might dislike Windows file system protection and the User Account Control, a similar mechanism that prevents any program from modifying anything under Program Files would defeat any virus behaving like that. You can at least mark the dcu files in the lib folder readonly.
So it is partially true that newer versions of Delphi don't have a specific feature to prevent similar infections in the future, but the current version of the operating system has enough protection to prevent it. If you have Delphi 7 and run it on Vista, you might have to loosen the access permission to some folders (including the bin folder in which Delphi 6 and 7 write some of the desktop setting files). But if you have newer version of Delphi (since Delphi 2007) which is installed in a Vista friendly way, you can keep full permissions and UAC on and prevent changes to your compiler and library files. I generally don't even run Delphi itself as administrator, as it behaves fine with the standard user permissions, and this makes sure that even while using the IDE legitimately I cannot by mistake update one the the compiled system libraries.
Waiting for official Embarcadero guidlines, I hope this helps dispell some more myths and provide a couple of simple tricks from stopping the virus. In summary: move your command line compiler, pretend your system already has the virus, and protect your library folder from accidental or malicious changes .
The positive element of this mess is that it should raise awareness of developers about security, make people realize how much Delphi is used, make manager want to stay on more up-to-date versions, but the fear is it might damage Delphi reputation. Stay tuned for more information and spread the word to your fellow Delphi developers.
17 Comments
How to Stop W32/Induc-A Virus or the Delphi Virus
The library path/search path is a per user option, so the virus could change that (inserting a path to a modified DCU) and still produce the same behavior as now. This is also true with protected Program Files directory in Vista.Comment by Maël Hörz on August 22, 06:17
Borland
"fails to notice that Borland is now gone" technically they are correct though. Delphi 4 to 7 were Borland products.Comment by Thomas Mueller [http://www.dummzeuch.de] on August 22, 08:43
How to Stop W32/Induc-A Virus or the Delphi Virus
I suddenly wonder if this virus attack could also occur with other development languages of if it's just Delphi- specific simply because Delphi provides easy access to the code of it's runtime libraries...Comment by Workshop Alex on August 22, 10:15
How to Stop W32/Induc-A Virus or the Delphi Virus
Are you saying that, if there is no SysConst.BAK file on my system, then I do not have the virus ?Comment by Olivier Beltrami [http://www.qppstudio.net] on August 22, 14:18
How to Stop W32/Induc-A Virus or the Delphi Virus
Thank you Marco, that's just the sort of simple, plain-spoken and easy-to-follow advice I have been hoping someone would post.Comment by Cheryl Morgan [] on August 22, 14:27
How to Stop W32/Induc-A Virus or the Delphi Virus
If I understand correctly, the life cycle of this virus is 1) some shareware developer downloads an infected program (i.e., other shareware), 2) he builds his own shareware and publishes it, 3) next one downloads his shareware and starts it, and so the infection goes next round. That is, the infection evolves really slow, with one "generation" perhaps in months, if not years. Btw, it possibly explains the target version delphi 7 - may be in the times of the generation one it was a very current version ;) Perhaps it would be useful to identify the infection carriers with the goal to build the "genealogy" of the virus and to trace it back to the "roots"?Comment by anthon on August 22, 16:41
How to Stop W32/Induc-A Virus or the Delphi Virus
Hi, I think that setting read-only attribute can not help at all. Because, virus do not write into existing files. It renames dcu and creates new pas-file (it will be deleted after compilation). So, there is no point in setting read-only. But changing NTFS file permissions may help. UAC in Vista (or working under non-admin in XP) is quite good protection. Well... until you'll encounter infected setup (and setup is executed under administrator in 99% cases). So, this is a good option/bonus, but it alone is still not good enough. The 100% reliable protection is to put \Lib and \Sources folder under anti-virus watch (I mean, some sort of "these-files-should-never-change" function).Comment by GunSmoker [http://gunsmoker.blogspot.com/] on August 23, 11:24
How to Stop W32/Induc-A Virus or the Delphi Virus
I think that virus authors have tried this infection procedure just to see its scope. also in the future a lot of virus makers will use this concept in their yards. It is a war of cat and mouse:)Comment by STRELiTZIA | AT4RE on August 23, 15:21
How to Stop W32/Induc-A Virus or the Delphi Virus
BTW, moving dcc32 is not enough either! :) For example, virus can carry a compressed copy of already infected dcu-s (or only changes), and thus it can infect your Delphi without help from Delphi's compiler. I.e. all it do is makes a file copies. That's all. Again, the only 100% option is to put your Delphi's folder under full control. No virus can break this. All other ways are somehow limited. Special virus modifications can target them specifically.Comment by GunSmoker [http://gunsmoker.blogspot.com/] on August 23, 17:33
How to Stop W32/Induc-A Virus or the Delphi Virus
Moving or renaming the command line compiler will break many installation programs which auto install their components. This includes nearly all JEDI products! If you have luck an installer tells you what the problem ist. It is also possible that it just fails and exits. And then you have to remember the new location and copy it back before the installer is executed. It is not uncommon in times of 1TB disks that moved or renamed files are never be found again :)Comment by Christian Wimmer [http://blog.delphi-jedi.net] on August 24, 12:34
How to Stop W32/Induc-A Virus or the Delphi Virus
I got this virus on my system(i don't know from where) but my av(avast) warned me after i compiled a program wich i worte line by line that i got a virus... Anyhu i reinstalled a fresh copy of Win and Delphi and made back up of dcu's and pas file so no worries, i check every now and then for the size of the dcu's, 1 of them must be 10 kb to be virus, you have 2 SysConst.dcu and both has 12 kb size. Good Luck!Comment by delphigeist [http://my.opera.com/duminicad/blog/] on August 24, 15:04
GSA Delphi Induc Cleaner
GSA has developed a freeware tool that could remove the Win32/Induc.A virus completely from executables and let you start them again without your anti virus complaining about it. http://www.gsa-online.de/eng/delphi_induc_cleaner.htmlComment by GSA [http://www.gsa-online.de/eng/delphi_induc_cleaner.html] on August 25, 16:33
How to Stop W32/Induc-A Virus or the Delphi Virus
Thank you very much, GSA, for your free tool which helped me find an infected file on my machine and deal with it successfully. You beat Embarcadero to the punch, too!Comment by Joseph G. Mitzen on August 27, 20:40
How to Stop W32/Induc-A Virus or the Delphi Virus
Thank you so much GSA, your free removal help me very well. Hope God Bless YouComment by Ardy on September 12, 07:27
How to Stop W32/Induc-A Virus or the Delphi Virus
So how do I tell if my SysConst.dcu file was modified if the file's datetime stamp doesn't get changed after infection?Comment by ALP on November 23, 17:55
How to Stop W32/Induc-A Virus or the Delphi Virus
It is Delphi2007. Open Delphi2007,New Project:VCL Forms Application,Build, then Avast found a virus:Win32:Mailware:genComment by Avast Reports a virus in Blank VCL Forms Application on December 24, 10:28
Post Your Comment
Click here for posting your feedback to this blog.
There are currently 0 pending (unapproved) messages.
How to Stop W32/Induc-A Virus or the Delphi Virus
Comment by J.D. Hildebrand on August 22, 01:58