The topic says it all, I just saw this post and my heart stop beating for a moment. He says d4-7 and I run d2009 but still. I checked just to make sure. This is nuts man.

http://blog.eurekalog.com/?p=244

and

http://jamiei.com/blog/2009/08/malware-specifically-targeting-delphi/

Sigh!

Nice shout Jarrod.

Needless to say, I'm forwarding this to everyone I can think of that uses one of the affected versions.

Something else to add... an idea thats been suggested by one of the guys here is to actually go through your installations and set SysConst.pas to be read-only and keep a backup copies of the SysConst (pas and dcu) files... just in case.

Is this the only possible files or need other files also be secured?
Also are delphi version above 7 affected or not?

Checked SysConst.dcu in both Delphi versions 6 and 7 and the string “CreateFile(pchar(d+$bak$),0,0,0,3,0,0);” could not be found so I'm safe.

Hope so!!

Thanks for the headsUp!!!

Only the compiled sysconst.dcu is infected, the source code remains unchanged.

Delphi 2007 and 2009 aren't affected by this.

Only the compiled sysconst.dcu is infected, the source code remains unchanged.

Delphi 2007 and 2009 aren't affected by this.


From one of the articles:-



For each founded instance of Delphi:

1. It makes a copy of SysConst.pas file and inject itself into it.
2. It compiles new SysConst.pas and places new infected dcu-file into Lib folder.



The source code is deleted after SysConst is recompiled meaning you can't recover it without extracting it from a backup or the original install files.

Checked SysConst.dcu in both Delphi versions 6 and 7 and the string “CreateFile(pchar(d+$bak$),0,0,0,3,0,0);” could not be found so I'm safe.

Hope so!!

Thanks for the headsUp!!!


Ditto for me too, so it appears I'm safe at work and home...phew!
cheers,
Paul

I found this on the avast forum:

http://forum.avast.com/index.php?topic=47738.msg402787#msg402787

Sigh... i wonder how many Delphi apps made with those versions are infected and on our machines?

:o
ps: i just checked, i'm not infected

Shows the injected source code:
http://www.viruslist.com/en/weblog?weblogid=208187826

and more:
http://news.cnet.com/8301-27080_3-10312628-245.html
http://www.sophos.com/blogs/sophoslabs/?p=6117

Can the delphi dcu be protected with an checksum? And run a check on that once in a while?
So do a clean install, make checksums, only when delphi is updated new checksum must be made.
Actualy delphi should have a feature like this build in and display a warning when such happens. It should give you an option to update the checksum when you want to use an updated version yourselves.

With the pro versions providing the sources, do not these get recompiled? So with the original sysconst.dcu mangled with the virus cannot we recompile the sysconst.pas to get a new clean .dcu?

I was thinking... most people running XP for example are running in full admin mode... and if this thing manipulates files directly, then setting the file to read-only makes no difference, no? It's now doing the very same thing that the programmer running in full admin mode can do. If I can go to a file and change the attribute or whatever, then it can do the same thing too. This is what so scary about it.

For what I understand it deletes the original sysconst.pas so you have to replace it from a fresh install. It seems to know that it's infected by looking for sysconst.bak so this can be one way to have an initial barrier for it. But remember the advantage it has is that it actually gets compiled on the target machine which means there is an opportunity for it to do more damage. How long before somene updates this to work with higher versions of Delphi and to do more damaging things. Sigh.

Also, all the infected Delphi installs that have apps that are infected that maybe on our machines right now. Think about it for a moment... say if someone modified this to do some really serious stuff, it can be waiting on hundreds of Delphi made apps to go off and cripple hundreds, thousands of machines. Man.

It just brings home the fact that we all have to be much more careful and proactive as developers. More worries to add to our already overloaded plate. Heh.

Wow BASIC programmers will stoop to no ends huh? ;)

Well this is news worth spreading. However as compiler/language politics goes. It seems like this was geared to attack Object Pascal programmers. I'm glad to say that I don't think that there will be a retaliation, but if there was I wouldn't hold it to that person much. :P

All-in-all why couldn't they just go and attack those winy C programmer's compilers instead. Since there are so many of them.

This will definitely become a mention on the next issue of Pascal Gamer Mag.

I did commented the sources of that virus (in Spanish :P) (http://www.clubdelphi.com/foros/showthread.php?p=358546#post358546) and it's a simple "rabit" (just spreads itself without harm nothing). We at Club Delphi forums think it's just a concept-test, a toy, may be to check how does it grow, how many time needed to be discovered by AV, etc. Actually the implementation is rough and I'm sure there are better ways to do the same, even making the "source" virtually invisible.

I hope nobody uses that idea to create a self-replicating trojan...

Another commentary:

http://www.felix-colibri.com/papers/delphi/delphi_induc_a_virus_anatomy/delphi_induc_a_virus_anatomy.html