W32/Induc-A virus infects Delphi sysconst.dcu

[eitang]

Postkutscher,

>> did you tried to use the *.bak file of the infected *.dcu, which this virus respectively does for you?

There is no BAK of the infected unit. The normal one is renamed BAK and the infected is DCU. The source, PAS, is untouched (obviously). It contains nothing but SYStem CONSTants. So you can rename the normal one (7.5k) from BAK to DCU, overwriting the infected one (17.4k) and all is fixed.

What I'd like to know is wether an infected EXE will, on a developper's machine, recreate the infected SysConst.dcu???

[Hacker]

eitang,

What I'd like to know is wether an infected EXE will, on a developper's machine, recreate the infected SysConst.dcu???

Yes, that's how the virus spreads and that's how you got infected, too.

Roman

[Elendacil]

What I'd like to know is wether an infected EXE will, on a developper's machine, recreate the infected SysConst.dcu???

As Hacker said, yes, it will. If you run infected exe, it infects the SysConst.dcu again. All the articles I read say that. But you could stop this by using an account that does not have write access to the files this virus tries to infect. You could change file permissions to prevent writing into those files.

[eitang]

Thank you both for the replies. By now I know what to look for, so it is easy, until the next smartass does another version <g>

[Boofo]

Wouldn't making SysConst.dcu readable only fix the problem from happening again in the future? Or does it need to be written to, also?

[ghisler(Author)]

No, probably not - you can rename a file even when it has the read-only attribute set, and the virus seems to do just that (rename the file to *.bak, then create new one).

[DrShark]

Please let me know when they update ICLRead and ICLView as I can't read Russian.

Updated:

ICLRead 1.4.1.1

F: Delphi virus fix.

ICLView 21.8.2009

* Delphi virus fix;
+ save to 32bit icl files;
+ show library is 32 or 16 bit in status bar;
* height of status bar fix.

[Boofo]

2DrShark,

Thank you very much, sir.

[Elendacil]

Wouldn't making SysConst.dcu readable only fix the problem from happening again in the future? Or does it need to be written to, also?

The read-only attribute probably won't help. But changing the NTFS file permissions so that your account has only read & execute rights and no write or modify access to the file would help, especially if you use a limited user account that can't take ownership of any file.

[Michael Diegelmann]

The file sizes given in eitang's post of August 23, 8:12 am for the SysConst.dcu file (7.5k for the normal DCU and 17.4k for the infected one) are both significantly different from the file size of my SysConst.dcu being 12,354 bytes on all of my computers. I am using the German version of Delphi 7. Does anybody know the file sizes relevant to this Delphi version (original and infected)?

I could not find a SysConst.bak file. Can I therefore be sure that my Delphi has not been infected by the W32-Induc.A virus?

[MVV]

The file sizes given in eitang's post of August 23, 8:12 am for the SysConst.dcu file (7.5k for the normal DCU and 17.4k for the infected one) are both significantly different from the file size of my SysConst.dcu being 12,354 bytes on all of my computers. I am using the German version of Delphi 7. Does anybody know the file sizes relevant to this Delphi version (original and infected)?

I could not find a SysConst.bak file. Can I therefore be sure that my Delphi has not been infected by the W32-Induc.A virus?

I think 100% warranty you will get if you reinstall Delphi - in this case all your standard modules will be replaced with their original copies.
Also if you have virtual machine installed, you may install Delphi into it and check this file size and contents. Also you may try to check out your Delphi distributive. If its files are unpacked, or you may find unpacker for its installer (e.g. if it made with InstallShield), you may get files w/o (re)installing Delphi.

In Vista/7 with UAC user may restrict write-access to system Delphi folders (Bin folder, folder with standard modules etc) in order to protect them from such viruses.

[Michael Diegelmann]

To MVV: Well, reinstalling Delphi - that's what I wanted to avoid and therefore I had asked if someone just knew the file sizes of SysConst.dcu of the German Delphi 7 version.

Concerning the virtual machine approach: Yes we do have a Delpi 7 installation in a VMWare environment in our university computer center and I definitely had in mind to check this protected installation next week (already before getting your advice). Thank you anyway.

[Michael Diegelmann]

Result when checking the Delpi 7 installation in a VMWare environment (virtual machine) in our Rosenheim University of Applied Sciences computer center (created 2008-10-28): No SysConst.bak file found and SysConst.dcu has the same file size (12,354 bytes) as on my machines in the office.
Conclusion: No W32-Induc.A infection on any of these computers.

Question to the Delphi developers community: I think programming a little utility which is launched as a service application at system startup and then periodically checks for suspicious changes in the %ProgramFiles%\Borland\Delphi7\Lib subdirectory containing the dcu files in question should be a fairly easy job. What's your opinion about this idea? Would that be helpful or does current up-to-date antivirus software (Kaspersky, Sophos etc.) now provide sufficient protection against this kind of viruses attacking the development environment?