Information about the W32/Induc-A Virus (or Delphi Virus) keep spreading, including lots of misconceptions:

  • New virus spreads by attacking Borland compiler fails to notice that Borland is now gone, that the virus attacks a very old version of Delphi, but it is correct in assessing the millions of program with this virus now in the wild
  • Blog posts like "are your worried" and "2nd threat" from members of the Delphi community are certainly more on focus
  • I was also contacted by a few developer who were hit by the virus. Several companies could not work as some of their business processing software was sent to quarantine due to the fact that the virus signiture was added to their anti-virus database (the software was already on their computers, but not considered harmful). Now the virus itself is not dangerous, but its effect can be very negative, as in the case just mentioned.

Embarcadero is well aware of the problem (see again Allen Bauer post) and will probably deliver a formal solution to address it, but I feel it is worth to address the problem right away. I'll cover again how to figure out if your computer is infected (based on accounts by others, since I didn't have the experience myself) and also suggest a couple of ways to avoid the problem to repeat.

Are you infected?

Other than checking if you have on your computer applications with the virus, or even an empty project you compile has it, to figure out if you are infected you can look into the lib folder of your Delphi 5, 6, or 7 installation (maybe also 4, some source mentioned 8, but that was the .NET version, so it doesn't pertain). In this folder you'll have a modified SysConst.dcu (but apparently with the same timestamp of the original) and a SysCont.bak, a backup copy of the original source code file. You can restore the proper SysConts.dcu from the original Delphi distribution disk (rather than reinstalling, you can copy the file from the installation image taht old versions used to offer right on the CD).

How to Prevent an Infection

Even if you cure your installation, you might have a program on your system (or downlaod a new one with the virus) that causes the same problem again. So beside curing the problem, even in case your system is not infected, you might want to prevent any future problem. I'm worried that so many news about this virus might push other developes to clone the idea!

As the virus has to compile itself into the DCU format, it calls the command line compiler, something most developers seldom use. So a very good solution to avoid the virus from attacking your Delphi is to move the your DCC32.EXE to another directory from the \bin directory of your Delphi installation , where the virus looks for it to compile the modified source code of the unit. A change in the source WITHOUT RECOMPILING will not activate the virus. Stopping the virus from finding the command line compiler in the first place is a very good defense about this and similar future threats.

Another option, very specific to how this virus behaves, is to add (or keep) the SysCont.bak file in the /lib folder. The virus in fact seems to look for this file to check if the system is already infected. If it is, it simply won't do anything.

A different line of defense, which is way more robust and will help you also in the future, is to prevent any application from writing in your lib folder without permission . This is probably already the case if you installed Delphi 7 on Windows Vista. Despite the fact you might dislike Windows file system protection and the User Account Control, a similar mechanism that prevents any program from modifying anything under Program Files would defeat any virus behaving like that. You can at least mark the dcu files in the lib folder readonly.

So it is partially true that newer versions of Delphi don't have a specific feature to prevent similar infections in the future, but the current version of the operating system has enough protection to prevent it. If you have Delphi 7 and run it on Vista, you might have to loosen the access permission to some folders (including the bin folder in which Delphi 6 and 7 write some of the desktop setting files). But if you have newer version of Delphi (since Delphi 2007) which is installed in a Vista friendly way, you can keep full permissions and UAC on and prevent changes to your compiler and library files. I generally don't even run Delphi itself as administrator, as it behaves fine with the standard user permissions, and this makes sure that even while using the IDE legitimately I cannot by mistake update one the the compiled system libraries.

Waiting for official Embarcadero guidlines, I hope this helps dispell some more myths and provide a couple of simple tricks from stopping the virus. In summary: move your command line compiler, pretend your system already has the virus, and protect your library folder from accidental or malicious changes .

The positive element of this mess is that it should raise awareness of developers about security, make people realize how much Delphi is used, make manager want to stay on more up-to-date versions, but the fear is it might damage Delphi reputation. Stay tuned for more information and spread the word to your fellow Delphi developers.