I.T. Discussion Community!
-Collapse +Expand
Delphi
Search Delphi Group:

Advanced
-Collapse +Expand Delphi To/From
To/FromCODEGuides
-Collapse +Expand Delphi Store
PRESTWOODSTORE

Prestwood eMagazine

September Edition
Subscribe now! It's Free!
Enter your email:

   ► KBProgrammingDelphi for W...   Print This    All Groups  

  From the September 2009 Issue of Prestwood eMag
 
Delphi for Win32:
Virus Targets Old Delphi Tools
 
Posted 11 years ago on 8/20/2009
Summary:

New virus targets old versions of Delphi (4, 5, 6, and 7) but not the applications developed with Delphi and not the current Delphi versions, just Delphi itself.

KB102033

I detest the jerks that write viruses and other forms of malware.  But this one really gets my goat generally because it was a virus that targeted my favorite best-of-breed development tool and specifically because ZDNet reported the problem in a way that implies it targets applications developed by Delphi.

Despite ZDNet's bad tag line above, the virus targets old versions of Delphi (4, 5, 6, and 7) but not the applications developed with Delphi and not the current Delphi versions. I sure hope the way ZDNet chose to report this issue doesn't hurt Embarcadero, the owner of Delphi, because of a virus that attacks pre-Embarcadero versions of Delphi.

This virus targets the Delphi compiler such that applications built with Delphi on an infected machine will propogate the virus.

This will have two immediate adverse effects:

1: If you deploy infected software, your clients aren't going to be pleased, and

2: Anti-virus software may block your application from running at all.

Check your anti-virus vendor's on-line "encyclopedia" and be sure they list Win32.Induc as included in their protection.  Then run a full scan on your system to be sure you're squeaky clean.

 

The following is from VirusList.com:

"We recently added detection for a file infector to our databases, for something we call Virus.Win32.Induc.a. Since then, we've had a load of questions about it. It doesn't currently have a malicious payload, and it doesn't directly infect .exe files. Instead, it checks if Delphi is installed on the victim machine, looking for versions 4.0, 5.0, 6.0 and 7.0.

If the malware does find one of these Delphi versions, it copies SysConst.pas to \Lib and writes its code to it. It then makes a backup of SysConst.dcu, calling it SysConst.bak (dcu files are kept in \Lib). It then compiles \Lib\SysConst.pas giving an infected version of SysConst.dcu. The modified .pas file gets deleted.

uses windows;
var sc:array[1..24] of string=('uses windows; var sc:array[1..24] of string=(',
'function x(s:string):string;var i:integer;begin for i:=1 to length(s) do if s[i]',
'=#36 then s[i]:=#39;result:=s;end;procedure re(s,d,e:string);var f1,f2:textfile;',
'h:cardinal;f:STARTUPINFO;p:PROCESS_INFORMATION;b:boolean;t1,t2,t3:FILETIME;begin',
'h:=CreateFile(pchar(d+$bak$),0,0,0,3,0,0);if h<>DWORD(-1) then begin CloseHandle',

 
The result is any Delphi program compiled on the computer gets infected. (We've already had a company contacting us to complain about something they thought was a false positive.) Maybe this particular virus isn't that much of a threat: it's not the first time we've seen this propagation method, the code itself is primitive, there's no other payload, and there are far easier ways to infect machines. But in the past we've seen new infection routines get picked up, tweaked, and taken further. We'll be keeping an eye on this one, just in case. "


Comments

0 Comments.
Share a thought or comment...
 
Write a Comment...
...
Sign in...

If you are a member, Sign In. Or, you can Create a Free account now.


Anonymous Post (text-only, no HTML):

Enter your name and security key.

Your Name:
Security key = P1223A1
Enter key:
News Contributed By Wes Peterson:

Wes Peterson is a Senior Programmer Analyst with Prestwood IT Solutions where he develops custom Windows software and custom websites using .Net and Delphi. When Wes is not coding for clients, he participates in this online community. Prior to his 10-year love-affair with Delphi, he worked with several other tools and databases. Currently he specializes in VS.Net using C# and VB.Net. To Wes, the .NET revolution is as exciting as the birth of Delphi.

Visit Profile

 KB Article #102033 Counter
4861
Since 8/20/2009

Follow PrestwoodBoards on: 


©1995-2020 PrestwoodBoards  [Security & Privacy]
Professional IT Services: Coding | Websites | Computer Tech