Frequently Asked Questions about the W32/Induc-A Virus (Compile-A-Virus)
By: Nick Hodges
Abstract: This is a set of Frequently Asked Questions about the W32/Induc-A “compile-a-virus” virus that can attack old versions of the Delphi development tool.
What versions of Delphi are affected?
This virus affects only Delphi versions 4 – 7 released between 1998 and 2002. The W32/Induc virus does not affect newer versions of Delphi from v2005 thru v2009 or the upcoming v2010.
What versions of Delphi are NOT affected?
This virus does not affect more current versions of Delphi. Delphi 2006, 2007, 2009, and the new 2010 release are not affected by this virus.
What is this virus?
This virus is called "Compile-a-Virus". It is also referred to as "W32/Induc-A".
Is the Delphi IDE or the language distributing this virus?
No, the versions of Delphi that are vulnerable to this attack (v4 thru v7) do not come with this virus nor is the virus in the language. It is “caught” by downloading and running an infected EXE or DLL.
Is Delphi Prism affected?
No, Delphi Prism is not affected by this virus.
What does this virus do?
This virus does nothing to versions of Delphi newer than Delphi 7 (2002). If a machine is infected, the virus W32/Induc-A doesn't do anything malicious or create damage other than spread itself.
What the virus does do is embed itself into an installation of Delphi version 4, 5, 6 or 7. Then, when an infected version of Delphi builds an EXE or a DLL, it embeds itself into that resulting binary. When the code for that EXE or DLL is run, it then looks for installed versions of Delphi 4 thru 7 and replicates itself into any installations that it finds. Then, that installation will in turn produce EXE and DLL files that will look to replicate itself anywhere it is run.
Again, the virus looks only for an installation of Delphi 4 -7. Specifically, if it finds one of those Delphi versions, it searches for the SYSCONST.PAS file. It opens that file, injects code into it, compiles the file, and replaces the shipped version of SYSCONST.DCU with the new infected version. It then deletes the SYSCONST.PAS file it created. (The virus doesn’t alter any *.PAS files on the system). The injected code simply causes the execution of code containing SYSCONST.DCU to replicate the virus.
Is this a problem unique to Delphi?
This particular virus seeks out Delphi v4 thru v7 but this type of virus is not in any way unique to Delphi and could effect any development environment from Eclipse to Visual Studio.
Who is vulnerable to this infection?
Installations of Delphi 4 - 7 can be affected by W32/Induc-A. If an infected EXE or DLL file is run on a machine without Delphi 4 - 7 installed on it, then the virus does nothing. Virus scanners are now starting to report this infection as a virus to those people with infected binaries.
How do I know if I've been infected?
Detecting if your Delphi installation has been infected is fairly easy. It only affects Delphi version from 4 to 7. The easiest way to tell if you have been infected is to search for the presence of SYSCONST.BAK in the <delphi>\lib directory of your Delphi installation. The virus creates this file as part of its actions. If that file is present, you are likely infected (unless you know that you yourself created this file for some reason).
If you have a SYSCONST.BAK in your \lib directory, then you can open up SYSCONST.DCU in a hex editor or even in a text editor like notepad. You can search for the code "CreateFile(pchar(d+$bak$),0,0,0,3,0,0);" in that DCU file. If it is present, you are infected.
If I have it, how did I get it?
If you have the virus, you got it buy running an EXE or DLL file on your machine that was already infected with this virus. Delphi is a very popular development tool, particularly among ISV and MicroISV developers. Ii you received an infected binary you may have received it from an application download.
What are the implications of being infected?
If your machine is infected, the EXE and DLL files that you produce will infect any unprotected machine where your EXE or DLL is run and that has Delphi 4 – 7 installed.
But note again that this virus doesn't do anything malicious apart from spreading itself. However, if you detect that you have the virus and have distributed known infected files, it is prudent to notify file recipients and point them to this FAQ for more information.
How do I remove the virus from my Delphi installation?
To remove the virus you should
Delete the infected SYSCONST.DCU file on your system
Replace it with the SYSCONST.DCU file from your installation media. Delphi versions 4 -7 include a complete install image on their CD, so you can simply copy that file from your DVD to your installation.
How do I make sure that it doesn't come back?
or
I don't have the virus. How do I make sure that I don't get it?
This virus does not affect Delphi version 2005 thru 2010. However, if you are running older copies of Delphi v4 thru v7 then the most effective way to ensure that you don’t get the virus is to move your copy of DCC32.EXE to a different directory. The IDE of these older versions doesn’t require the command line compiler, so this will not affect the execution of the product.
You can also prevent the virus from doing anything to your installation again by leaving a file named SYSCONST.BAK in the same location where you found it. The file can be empty. The virus checks for the presence of this file, and if it finds it, it does nothing. Leaving a blank SYSCONST.BAK file in the same location as your SYSCONST.DCU file will ensure that the virus will do nothing.
In addition, you can mark all of the files in your \lib directory as read-only. This will prevent the virus from changing them.
How do I tell if I have executable files on my system that are spreading this virus?
This is a relatively new virus, and so virus scanning software is just starting to recognize it. A number of vendors are already identifying binaries with this infection, and undoubtedly, most will follow suit soon. The best way to detect the virus is to ensure that your anti-virus software knows about W32/Induc-A and run a virus scan on your system.
The binaries I am producing are infected, what can I do?
Of course you first need to rid your system of the virus – See above.The only way to get rid of the virus that is already in an existing EXE or DLL is to recompile that binary with a clean system.
Does this affect packages built with Delphi 4 - 7?
It is possible but unlikely. By default, packages are not affected. A package can become infected if you manually choose not to link against our RTL.DCP file and manually link in an infected SYSCONST.DCU. The overwhelming majority of developers will not have done this, and if you have, then you’ll be able to recompile those packages with a clean system.
What else can I do to protect myself?
There are a number of additional things you can do to protect yourself against this virus. As mentioned above, you can mark all of the DCU files in your \lib directory as read-only. And while you are at it, you might consider labeling all of the source code in the <delphi>\source directory as read-only as well.
To be absolutely safe, you can do a file compare between your \lib directory and the \lib directory on the install image on your CD.
If you need a file compare tool, there is a very powerful, open source tool called FreeFileSync which can be found at:
sourceforge.net/projects/freefilesync/
Keep in mind that it is possible that you may have altered these DCU files yourself, so if they show up as different, be sure that you yourself haven’t altered them. So far, this virus only affects the SYSCONST.DCU file.
In any event, it is highly recommended that you ensure that the files in the \lib directory of your Delphi 4 – 7 installation match those of the install image on your CD.
Is C++Builder affected?
No. It is theoretically possible for a C++Builder EXE to become infected, but a C++Builder developer would have to take a rather lengthy set of steps and actively change and recompile a number of different things on his system in order for the virus to affect C++Builder binaries.
I produce shareware and/or an ISV application built with Delphi? What does this mean?
If you are running newer versions of Delphi 2005 thru 2010 then it doesn’t affect you. If you are a Shareware or ISV vendor running an older version of Delphi v4 thru v7, then you should check that your machine is not infected. If it is infected you should clean it.
If you have distributed infected executables to your customers, you should immediately recompile your product and distribute a new, cleaned version. It would also be prudent to notify file recipients and point them to this FAQ for more information. As anti-virus programs begin to see this virus in binaries, customers will be getting reports of your binaries being infected and you’ll want to be ready with a clean binary for them.
Are there any special concerns for a Component Vendor?
Component vendors who are using versions of Delphi 7 or older should take the same precautions and steps as described in this document. Even if infected, component vendors have a low probability of infecting their customers via their components. The reason is that the virus doesn’t attach itself to other DCU files. It doesn’t affect any source code that you create. It is possible, as noted above, to link the virus into a package (BPL) file, but you would have to very deliberately be avoiding using the Delphi Run-time Library and be explicitly linking in the SYSCONST.DCU file.
What are you doing to harden Delphi against this or future viruses?
The best course of action is of course to run a secure development workstation and run anti-virus software; always keeping it updated. While this type of virus can be built to attack any development environment, we are looking for ways to help developers prevent future attacks on their systems.
kulka1
