It seems someone has it in for Delphi. Or at least older Delphi environments and programs compiled using them. As has been reported, there is a threat on the loose that targets Delphi development environments, specifically versions 4 through 7.
To provide some brief background, Delphi is a software development environment for Microsoft Windows applications. Using Pascal as its underlying language, Delphi came into being when Windows 3.1 was first released along with the introduction of the graphical user interface (GUI).
According to Wikipedia, Delphi 7 was released in August 2002 and became the standard version used by Delphi developers. Delphi 7 was the last free version released, which probably explains why it is still actively used today. Delphi is mainly used for the development of desktop and enterprise database applications, but it is a general-purpose software development tool suitable for most software projects including Web applications. It is a popular choice for writing GUI applications, as it is relatively simple to program in being of course based on Pascal.
So, if one of these older development environments is found on a machine that the malware is introduced to, it will attempt to infect Delphi files during the compilation process by placing an infection routine in the following file:
[DELPHI INSTALLATION FOLDER]\Lib\sysconst.dcu
Any file that is subsequently compiled with Delphi will have the viral code included in it.
The current version of the threat doesn't contain a malicious payload and so doesn't actually cause any damage to systems running Delphi. Furthermore, in addition to only affecting versions 4 through 7 the threat doesn't run on systems which do not contain the Delphi development environment.
For the purpose of clarity, Symantec detects this Delphi virus as three separate but related threats:
- W32.Induc.A adds itself to the Delphi compilation process in order to then infect all files compiled with that Delphi compiler.
- W32.Induc.A!dcu detects malicious Delphi library files that were created by W32.Induc.A.
- W32.Induc.A!pas is a detection for malicious Pascal (Delphi) source files, which are temporarily created by W32.Induc.A
It is difficult to say exactly how long this virus has been in the wild, but indications are that it is not exactly new. No doubt it would have been picked up much sooner if it actually did anything other than simply spread itself. Still, it is a concern that an entire development environment has been used in this fashion to accommodate the spread of malicious code. I have a feeling the antivirus industry may be about to witness a flood of "false positive" claims which actually turn out to be Delphi files infected with this.
On a brighter note, one of our tireless engineers was kind enough to put together a detailed analysis of how exactly the code spreads itself. Warning, what follows is not for the faint-hearted...
How W32.Induc.A Infects Files
1. A program (.exe or .dll) built with Delphi having the malicious sysconst.dcu file is the infector. Such a program is detected by Symantec as W32.Induc.A.
2. When W32.Induc.A starts, it calls the initializing routine of each module in the program, one of which is the malicious one. The initializing routine checks the Windows registry to see if Delphi 4, 5, 6 or 7 is installed.
3. If a Delphi environment is found, it copies a clean SysConst.pas file to a temporary file, which contains the following code:
4. It then adds its malicious Pascal (Delphi) source code after the "implementation" line. The file looks like this:
This code is used to copy itself to a new environment.
5. The bottom of the file contains the following code:
This code searches for a Delphi environment and calls the Delphi compiler dcc32.exe to compile its temporary source file. Before calling the compiler, it copies the original SysConst.dcu (Delphi Compiled Unit, a type of library file) to sysconst.bak. When the compilation is complete, the SysConst.dcu file is overwritten by a newly generated malicious sysconst.dcu file. The temporary file is deleted after compilation. Symantec products detect this file as W32.Induc.A!pas and AutoProtect will delete it before compilation begins.
6. After compilation, the code in the source file changes to the following:
Here you can see "55 8B EC" which is Intel CPU instructions of "PUSH EBP" and "MOV EBP, ESP". Also there are some “bak”, "implementation", and other Delphi strings. The source code itself is also compiled into the DCU file as a string array, which looks like this:
7. When an engineer using the infected Delphi environment builds a program, the malicious sysconst.dcu file is automatically linked to that program.
The following code is a part of the Delphi DLL program built with the infected environment:
As you can see, the DCU file is incorporated into the .dll file.
So how does one remediate the infected Delphi environment? If a program is detected as W32.Induc.A, it means the Delphi environment you are using is infected. As long as the environment is left infected, any programs created in Delphi will be malicious.
Symantec products detect the malicious sysconst.dcu file as W32.Induc.A!dcu and delete it. To restore the sysconst.dcu file, find the sysconst.bak file and rename it “SysConst.dcu”. If you can’t find the sysconst.bak file, you should re-install Delphi. Otherwise, you can compile a clean SysConst.dcu file from SysConst.pas file found in the Delphi environment. You can simply do the same thing that the virus did:
dcc32.exe SysConst.pas
That will produce a clean SysConst.dcu file. Copy the SysConst.dcu file to the Delphi Lib folder.
A big thanks to Masaki Suenaga for providing the analysis.