August 20, 2009

Virus W32/Induc-A Attacks Delphi SysConst.pas

Antivirus experts have found an odd virus that attacks Delphi (versions 5 to 7) by changing a library unit to get compiled into your own programs.

Antivirus experts have found an odd virus that attacks Delphi library units to get compiled into your programs. The W32/Induc-A virus doesn't affect executable files, but looks for a Delphi installation (apparently versions 5, 6 and 7), modifies SysConst.pas (backing up the original) and gets compiled by Delphi into your own programs, to keep spreading.

You can find an overview at this c|net article, this Sophos Lab blog entry, and this one as well. To find more detailed information, though, you can look at the description on  (this blog post includes the injected source code).

In the CodeGear newsgroups there are already several developers who have been infected over the last 3 or 4 weeks, simply by testing utilities written in Delphi and downloaded from the web. Given the popularity of Delphi as a development tool for utilities, this is probably a fairly common scenario.

So if you are still developing with an old version of Delphi, beside recommending that you upgrade your development tool, I suggest you run a good antivirus program, or some of the users of your programs might get virus warning, which are not false positives, as happens from time to time with Delphi applications, but real virus alert even if lightweight ones, as the virus seems to spread but not cause any other damage.

Another way to check you system, according to reports, it to look at the timestamp of SysConst.dcu, under the lib folder, or check if there is a sysconst.bak file in the same folder.

I'm not sure if this is something to be happy about in this scenario, but given the huge number of Delphi free and shareware programs available, there is a good chance this virus spreads. So, please, let all your fellow Delphi developers know about this (even if mild) threath. And suggest they upgrade ;-)



Virus W32/Induc-A Attacks Delphi SysConst.pas 

Just noticed there is already a post on this subject in 
the EurekaLog blog at:
Comment by Marco Cantu [] on August 19, 17:04

FYI: Virus W32/Induc-A Attacks Delphi SysConst.pas 

 Indeed, virus was detected 8 days ago in russian

The fact of virus was discovered by the same guy, that
writes for EurekaLog blog.

According to poll results in russian-delphi
blogosphere, 40% of developers were infected (from
over 100 that voted).

So, keep an eye on your Delphi\Lib folder. Imho, the
best way to protect it is to include Delphi Lib and
Bin folders under control of any Version Control System. 
Comment by Aleksey Timohin [] on August 20, 02:08

Virus W32/Induc-A Attacks Delphi SysConst.pas 

 Install Comodo Internet Scurity and use the "My 
Protected Files" functionality in Defence+.
Comment by Frode on August 20, 14:55

Virus W32/Induc-A Attacks Delphi SysConst.pas 

Simply don't use the PC with admin rights and
"magically" <program files> files are read-only....
Comment by Luigi D. Sandon on August 20, 19:46

Virus W32/Induc-A Attacks Delphi SysConst.pas 

The sysconst.dcu does not get it's modified date/time 
altered. It will still display whatever it was when 
you installed delphi.

I ended up getting infected from downloading 
TBASSPlayer components from Torry's Delphi Pages. I 
sent the author and the owner of the site an email 
about it. It seems the BassPlayer library 
MBDrawer.dll in the component distribution zip file 
is infected with the virus.
Comment by Nathan Davalos on August 20, 20:51

Virus W32/Induc-A Attacks Delphi SysConst.pas 

 Hi Marco,

look here:
Comment by Thomas Pfister [] on August 21, 10:18

Virus W32/Induc-A Attacks Delphi SysConst.pas 

Hi Marco, 

See here too:

A majority of people infected need to deploy better
hex. Simple as that. 

Can anyone tell if the dev machines were used to
browse? Hence I use VMs backed up to known states and
I gain portability, easy backups, no dependence on
physical hardware, simple to "rollback" etc...  

The so called "Delphi Virus" hyped in the press is a
POC and no more. There is no "PAYLOAD". This lesson
does apply to ALL dev tools however. 


Comment by m0d on August 29, 08:43

Post Your Comment

Click here for posting your feedback to this blog.

There are currently 0 pending (unapproved) messages.