Check your Delphi‚Äôs installation ‚Äì it may be infected

**Pyrogine** · 18-08-2009, 10:11 PM

The topic says it all, I just saw this post and my heart stop beating for a moment. He says d4-7 and I run d2009 but still. I checked just to make sure. This is nuts man.

http://blog.eurekalog.com/?p=244

and

http://jamiei.com/blog/2009/08/malwa...geting-delphi/

Sigh!

**AthenaOfDelphi** · 19-08-2009, 08:07 AM

Nice shout Jarrod.

Needless to say, I'm forwarding this to everyone I can think of that uses one of the affected versions.

**AthenaOfDelphi** · 19-08-2009, 08:19 AM

Something else to add... an idea thats been suggested by one of the guys here is to actually go through your installations and set SysConst.pas to be read-only and keep a backup copies of the SysConst (pas and dcu) files... just in case.

**noeska** · 19-08-2009, 09:36 AM

Is this the only possible files or need other files also be secured?
Also are delphi version above 7 affected or not?

**Wizard** · 19-08-2009, 10:26 AM

Checked SysConst.dcu in both Delphi versions 6 and 7 and the string ‚ÄúCreateFile(pchar(d+$bak$),0,0,0,3,0,0);‚Äù could not be found so I'm safe.

Hope so!!

Thanks for the headsUp!!!

**vgo** · 19-08-2009, 10:27 AM

Only the compiled sysconst.dcu is infected, the source code remains unchanged.

Delphi 2007 and 2009 aren't affected by this.

**AthenaOfDelphi** · 19-08-2009, 10:39 AM

Originally Posted by vgo

Only the compiled sysconst.dcu is infected, the source code remains unchanged.

Delphi 2007 and 2009 aren't affected by this.

From one of the articles:-

For each founded instance of Delphi:

1. It makes a copy of SysConst.pas file and inject itself into it.
2. It compiles new SysConst.pas and places new infected dcu-file into Lib folder.

The source code is deleted after SysConst is recompiled meaning you can't recover it without extracting it from a backup or the original install files.

**paul_nicholls** · 19-08-2009, 10:46 AM

Originally Posted by Wizard

Checked SysConst.dcu in both Delphi versions 6 and 7 and the string ‚ÄúCreateFile(pchar(d+$bak$),0,0,0,3,0,0);‚Äù could not be found so I'm safe.

Hope so!!

Thanks for the headsUp!!!

Ditto for me too, so it appears I'm safe at work and home...phew!
cheers,
Paul

**Pyrogine** · 19-08-2009, 02:17 PM

I found this on the avast forum:

http://forum.avast.com/index.php?top...2787#msg402787

Sigh... i wonder how many Delphi apps made with those versions are infected and on our machines?

**arthurprs** · 19-08-2009, 04:42 PM

ps: i just checked, i'm not infected

Moderation Process Reminder

Thread: Check your Delphi‚Äôs installation ‚Äì it may be infected

Thread Tools

Display

Check your Delphi‚Äôs installation ‚Äì it may be infected

Re: Check your Delphi‚Äôs installation ‚Äì it may be infected

Re: Check your Delphi‚Äôs installation ‚Äì it may be infected

Re: Check your Delphi‚Äôs installation ‚Äì it may be infected

Re: Check your Delphi‚Äôs installation ‚Äì it may be infected

Re: Check your Delphi’s installation – it may be infected

Re: Check your Delphi‚Äôs installation ‚Äì it may be infected

Re: Check your Delphi‚Äôs installation ‚Äì it may be infected

Re: Check your Delphi‚Äôs installation ‚Äì it may be infected

Re: Check your Delphi‚Äôs installation ‚Äì it may be infected

Bookmarks

Bookmarks

Posting Permissions