tags:

views:

349

answers:

4
+3  Q: 

Files built with Delphi 2010 report virus/trojan

I tried to email a DLL-file built with Delphi but received an rejection email reporting:

"Your email was rejected because it contains the Trojan.Delf-9364"

So I uploaded the file to http://scanner.novirusthanks.org and sure enough it reports a positive in one of the virus scanners:

"F-PROT6 20100630 4.5.1.85 W32/Swizzor-based.2!Maximus"

I then built a empty exe-file (File - New - VCL Forms Application) and uploaded again, this time I get another positive:

"VBA32 01/07/2010 3.12.12.2 Trojan.Win32.Swisyn.acyl"

More details here: http://scanner.novirusthanks.org/analysis/e59033c40f1a6e37c210cb1c4f40f059/UHJvamVjdDEuZXhl/

So I'm not sure how to interpret these results. Are all the above false positives, are my computer infected with a virus that infects all binaries, or is my copy of Delphi infected with a Delphi-specific virus? I use AVG antivirus and it reports no problems on my computer. Perhaps someone else with Delphi 2010 can try uploading a project1.exe and see if they receive different results?

+3  A: 

Yeah, I just uploaded a blank project from D2010 and got "VBA32 01/07/2010 3.12.12.2 Trojan.Win32.Swisyn.acyl" too. Looks like a false positive to me.

This has happened a few times in the past. Delphi's very good at creating software that works well very quickly. But unfortunately, that holds true even when the "software" in question is evil. It's been so widely used for nefarious purposes that there have been a few incidents of antivirus makers inserting a "virus signature" in their definitions that was actually part of the VCL or RTL. Looks like something similar's happened again. You ought to report this as a false positive.

Mason Wheeler  2010-07-01 14:49:57
Thanks for testing, I agree it's probably a false positive. It's just a weird coincidence that suddenly tree different scanners report Delphi files as positive, all with a different name of the trojan. Perhaps Embarcadero could be one step ahead here and keep the antivirus vendors with recent copies of harmless Delphi files to their database of uninfected files to avoid this happening in the future.
Ville Krumlinde  2010-07-01 15:53:57
@VilleK - Good idea, but it won't work, as the AV companies have been innoculated against common sense. It's a good thing they're not in charge of airport security, or we'd all have been arrested for bearing some sort of resemlance to known terrorists. Or shot.
Chris Thornton  2010-07-01 17:11:08
+6  A: 

I think it is a false positive. There have been more questions here about Delphi applications detected as virus, but those were all false positives.

Report this as a false positive.

There is a virus that infects your Delphi installation (4,5,6,7) by modifying SysConst.pas and compiling it, leaving a SysConst.bak in your lib directory. You can check for this. Follow this link for more information: http://www.securelist.com/en/weblog?weblogid=208187826
But you are on Delphi 2010, so you are not affected by that virus.

The_Fox  2010-07-01 14:59:14
I did check that before posting. None of the files in lib-directory are recently modified, and there is no bak-file. But you are right this is probably a false positive.
Ville Krumlinde  2010-07-01 16:03:57
Also, he says he's using D2010, so that virus doesn't affect him.
Mason Wheeler  2010-07-01 16:05:45
I'm sorry, I missed the 2010 part. I edited my answer.
The_Fox  2010-07-01 16:11:15
+2  A: 

AV companies suck a lot, what's new on that? Embarcadero should treat them with legal issues for their false posivites

walker  2010-07-02 01:46:31
Well to be fair to the AV-manufacturers they do have a very difficult job trying to keep up with the trojan-creators. I guess the concept of Malware signature databases does not work very well anymore. False positives will constantly increase as the signatures are getting vaguer to catch all the variants and self-modifying trojans.
Ville Krumlinde  2010-07-02 06:44:08
+1  A: 

@VilleK try giving the Assembly information to the Delphi Project like Name , Version etc . I too faced the similar situation sometimes back .

Check Delphi 7 , MCafee and Virus to know more . I feel this applies to Delphi 2010 too .

Senthil Kumar B  2010-07-16 14:18:47

related questions

How do you implement Levenshtein distance in Delphi?
Reintroducing functions in Delphi
Does Delphi call inherited on overridden procedures if there is no explicit call
HelpInsight documentation in Delphi 2007
Is it possible to deploy a native Delphi application with ClickOnce
In Delphi 7, why can I assign a value to a const?
Best way to sort an array in delphi
What's the best Delphi book for a newbie?
Visual Studio equivalent to Delphi bookmarks
What's the idiomatic way to do async socket programming in Delphi?
64bit Memory allocation
Documenting Delphi
How to implement Type-safe COM enumerations in Delphi ?
TClientDataSet Aggregates specification aren't added automatically when creating an Aggregate field.
Multiple form Delphi applications and dialogs
Unit testing in Delphi - how are you doing it ?
How to keep track of the references to an object?
Delphi and COM: TLB and maintenance issues
Changing CURRENT save/default directory in Delphi 2007 without using Save-As
What is the best way to make a Delphi Application completely full screen ?
Are there any "mind mapping" components for Delphi? (native VCL preferably)
Delphi resources for existing .NET developer.
What is needed to get Delphi back on top?
Delphi MDI Application and the titlebar of the MDI Children
Can a windows dll retrieve its own filename?