Win32/Induc.A, "Delphi"-virus, infects SysConst.pas, does anyone have a sample of code to search for?

Question

I just noticed that a recent upgrade of Take Command is reported as being infected with this virus, and an update to NOD in the last few hours added the ability to detect that virus, which is why I became aware of it. In this case, judging by the contents of the article linked to in the answer I accepted, it looks like it is a false positive.

Nevertheless...

Apparently, this virus only runs when an infected program runs, but it then tries to locate a Delphi installation, finds the SysConst.pas file, and adds the necessary code in there to make Delphi compile new programs with the virus in place.

I don't have Delphi installed on this machine, however, so that should at least make this problem a small one here, but at work we have a few machines with Delphi installed. Luckily I don't have Take Command in an updated form my work machine, but whose to say there aren't plenty of other programs out there written in Delphi that people have updated recently...

So, I thought I'd ask. Has anyone seen a live infected SysConst.pas file, and could provide with some sample code that shouldn't be in there? So that we can run through the machines and ensure that we don't have a problem?

Answer 1

This article should have the information you're looking for.

Answer 2

I've seen it. Still a little confused by it. When the first notice of it went out, I only looked at the .pas file. I didn't find anything wrong with the .pas file and left it for the day. THEN I researched a little more carefully and went to look at the .dcu files. I found TWO infected .DCU files. Both were 18K in length, rather than 12K, which was one tipoff. The second tipoff was finding the CreateFile with 0,0,0,3,0,0 as the last six parameters. I copied the uninfected SysConst.DCU file from the DEBUG folder up into LIB. I then re-built the apps that were infected, five in all. One dated back to June 22. The others more recently. One app built the same weekend as two other infected apps, reported clean. But I rebuilt it anyway.

I have been running the ZoneAlarm Security Suite Anti-Virus, licensed from Kapersky, and it kept giving me clean reports on the infected apps right through till about five hours ago. I had to scan the apps with Avast! to learn which ones were actually infected up until then. I had been teetering on discarding ZA's AV, but this clinches the deal. I know I don't want any false positives, but they are a whole lot less annoying than any missed positives. One of the five affected clients was NOT happy. And I can't blame him.

One last interesting bit (I am using Delphi 7.1 of course). The new (old?) SysConst.dcu from debug is 11,681 bytes long, whereas the .bak file I presume the nasty piece of business created out of the original is 11,658 bytes long. Don't know if it is significant, but I'm keeping both around. And I'll be checking out the dcu before compiling for the next little while. It's a bother, but paranoia rules the day around here for the next little while.

Answer 3

Check this article, from the guy, who discovered that virus

See the chapter "Am I infected?".

Answer 4

I've been analysing the virus. The information circulating on the web, that it infects all executables compiled on an infected machine, isn't quite correct. It only infects executables compiled WITHOUT the VCL runtime package AND without debug DCUs.

If you compile with packages, the SysConst unit is already in the compiled VCL package, which isn't affected.

And the virus only adds itself to the non-debug version of the SysConst.dcu file.

Otherwise, what I've read so far on the web is accurate. The virus copies the SysConst.pas file up to the 'implementation' line, then appends itself to the new file (SysConst.pas has an empty implementation section - it's only constant declarations). It backs up the original SysConst.dcu to SysConst.bak, compiles the infected source code copy to a new SysConst.dcu and then deletes the source copy. Finally, it sets the file creation and modification date of the new infected dcu file to match the old clean one. Sneaky!

It does nothing other than duplicate - there's no malignant payload.

Answer 5

Ok. so we got hit. we restored the compiler back, but is there anyway to remove/identify the infecting agent? I can't beleive its a drive-by infection. I am assuming whatever gave this to our build box isnt still hanging around.

This Monday's morning standup meeting is going to be very interesting at our shop....