Check your Delphi‚Äôs installation ‚Äì it may be infected

**Pyrogine** · 19-08-2009, 04:45 PM

Shows the injected source code:
http://www.viruslist.com/en/weblog?weblogid=208187826

and more:
http://news.cnet.com/8301-27080_3-10312628-245.html
http://www.sophos.com/blogs/sophoslabs/?p=6117

**noeska** · 20-08-2009, 08:37 AM

Can the delphi dcu be protected with an checksum? And run a check on that once in a while?
So do a clean install, make checksums, only when delphi is updated new checksum must be made.
Actualy delphi should have a feature like this build in and display a warning when such happens. It should give you an option to update the checksum when you want to use an updated version yourselves.

With the pro versions providing the sources, do not these get recompiled? So with the original sysconst.dcu mangled with the virus cannot we recompile the sysconst.pas to get a new clean .dcu?

**Pyrogine** · 20-08-2009, 12:31 PM

I was thinking... most people running XP for example are running in full admin mode... and if this thing manipulates files directly, then setting the file to read-only makes no difference, no? It's now doing the very same thing that the programmer running in full admin mode can do. If I can go to a file and change the attribute or whatever, then it can do the same thing too. This is what so scary about it.

For what I understand it deletes the original sysconst.pas so you have to replace it from a fresh install. It seems to know that it's infected by looking for sysconst.bak so this can be one way to have an initial barrier for it. But remember the advantage it has is that it actually gets compiled on the target machine which means there is an opportunity for it to do more damage. How long before somene updates this to work with higher versions of Delphi and to do more damaging things. Sigh.

Also, all the infected Delphi installs that have apps that are infected that maybe on our machines right now. Think about it for a moment... say if someone modified this to do some really serious stuff, it can be waiting on hundreds of Delphi made apps to go off and cripple hundreds, thousands of machines. Man.

It just brings home the fact that we all have to be much more careful and proactive as developers. More worries to add to our already overloaded plate. Heh.

**WILL** · 20-08-2009, 10:50 PM

Wow BASIC programmers will stoop to no ends huh?

Well this is news worth spreading. However as compiler/language politics goes. It seems like this was geared to attack Object Pascal programmers. I'm glad to say that I don't think that there will be a retaliation, but if there was I wouldn't hold it to that person much.

All-in-all why couldn't they just go and attack those winy C programmer's compilers instead. Since there are so many of them.

This will definitely become a mention on the next issue of Pascal Gamer Mag.

**Ñuño Martínez** · 21-08-2009, 11:53 AM

I did commented the sources of that virus (in Spanish

) and it's a simple "rabit" (just spreads itself without harm nothing). We at Club Delphi forums think it's just a concept-test, a toy, may be to check how does it grow, how many time needed to be discovered by AV, etc. Actually the implementation is rough and I'm sure there are better ways to do the same, even making the "source" virtually invisible.

I hope nobody uses that idea to create a self-replicating trojan...