Virus spreading via Delphi programming language

A new virus outbreak has been detected and reportedly spreading quickly. Researchers at SonicWALL and SophosLabs claim that the Win32.Induc virus infects applications built using Delphi, an object-oriented, visual programming environment derived from the Pascal language, used to develop applications for deployment on the web, Windows and Linux.

Once a computer is infected, any code or documents written on that machine will automatically be infected, enabling the virus to spread as an executable file of itself, SonicWALL researchers stated in a release. Though the virus is not showing signs of malicious intent, it is evidence of yet another enterprising way for hackers to infect computers with alarming ease, the researchers said. 

"This malware just spreads, it doesn't delete files or do anything malicious," Nick Bilogorskiy, manager of anti-virus research at SonicWALL, told on Wednesday. "What is new and interesting about this is that it is being spread by innocent, already infected parties, such as developers who use the Delphi programming language."

It could be much worse, Bilogorskiy said, but the virus does have side effects. "Anti-virus software will pick this up, so third-party software will get caught," he explains. This means that people's computers will get marked as infected and could result in IT managers cutting off their machines from the network.

Graham Cluley, senior technology consultant at Sophos, posted an explanation on his Sophos blog that said that "the W32/Induc-A virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable."

Sophos, he states, has received more than 3,000 unique infected samples of programs infected by W32/Induc-A from the wild. "This makes us believe that the malware has been active for some time, and that a number of software houses specializing in developing applications with Delphi must have been infected."

Richard Cohen, an analyst at SophosLabs Canada, posted a report on the SophosLabs blog on Tuesday, explaining further:

When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system.

"At the moment it's a mystery what drove the virus writer to write this Delphi malware," Cluley told in an email Wednesday. "Maybe it was created as a proof-of-concept to prove it was possible, and then got out of hand."

The samples Sophos has seen so far only spread -- there is no intentional malicious payload, no sign of creating a botnet or stealing information, Cluley said. "Nevertheless, it's possible that the code could cause incompatibilities on users' computers, or that new variants could emerge in the future with more nefarious designs."

SonicWALL's Bilogorskiy calls the virus an abuse of trust. "It doesn't seem to be financially motivated." He agrees that it's likely a proof-of-concept exercise, someone showing off. "But it does point out that you cannot 100 percent trust programs that are written by someone else, and that you should at all times continue to ensure you have up-to-date anti-virus software."

Cluley advised the same. "Businesses that may be using software written in Delphi would be wise to check that their anti-virus software is updated. If a W32/Induc-A infection is found in a program, its developers should be contacted immediately – as it's possible that the infection could be passed on to other customers."

Cluley added that Sophos had also seen examples of infected programs being distributed via download sites – "presumably without the knowledge of the websites themselves who are assuming the programs to be clean."


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.