New Virus makes Delphi users vulnerable

Delphi environments at risk

August 20, 2009

Delphi environments at risk

Kaspersky Lab reports detection of Virus.Win32.Induc.a, a virus that spreads via CodeGear Delphi, an integrated software development environment. Protection from the latest threat is already available in all Kaspersky Lab products.

Virus.Win32.Induc.a takes advantage of the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables.

The new virus activates when an infected application is launched. It then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the computer. If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu.

The virus is not currently a threat – apart from infection there is no other payload. It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cyber criminals to make it more destructive.

Kaspersky Lab solutions successfully detect Virus.Win32.Induc.a and treat both compiled Delphi files and Windows executables.