Virus discovered deep in Delphi programming language

By Greg Masters

June 18, 2010 Updated Aug 19, 2009 at 12:31 PM EDT

A new virus outbreak has been detected by researchers at SonicWALL and SophosLabs, and it is reportedly spreading quickly. The researchers claim that the Win32.Induc virus infects applications built using the Delphi code, an object-oriented, visual programming environment derived from the Pascal language, used to develop 32-bit and Microsoft .NET applications for deployment on the web, Windows and Linux. Once a computer is infected, any code or documents written on that machine will automatically be infected as a result, allowing the virus to spread as an executable file of itself, as well as the source code, SonicWALL researchers stated in a release. While the virus is not currently showing signs of malicious intent, it is evidence of yet another enterprising way for hackers to infect computers with alarming ease, the researchers said. "This malware just spreads, it doesn't delete files or do anything malicious," Nick Bilogorskiy, manager of anti-virus research at SonicWALL, told SCMagazineUS.com on Wednesday. "What is new and interesting about this is that it is being spread by innocent, already infected parties, such as developers who use the Delphi programming language." It could be much worse, Bilogorskiy said, but the virus does have side effects. "Anti-virus software will pick this up so third-party software will get caught," he explains. This means that people's computers will get marked as infected and could result in IT managers cutting off their machines from the network. Graham Cluley, senior technology consultant at Sophos, posted an explanation on his Sophos blog that said that "the W32/Induc-A virus inserts itself into the source code of any Delphi program it finds on an infected computer, and then compiles itself into a finished executable." Sophos, he states, has received over 3,000 unique infected samples of programs infected by W32/Induc-A from the wild. "This makes us believe that the malware has been active for some time, and that a number of software houses specializing in developing applications with Delphi must have been infected." Richard Cohen, an analyst at SophosLabs Canada, posted a report on the SophosLabs blog on Tuesday, explaining further: When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system. "At the moment it's a mystery what drove the virus writer to write this Delphi malware," Cluley informed SCMagazineUS.com in an email on Wednesday. "Maybe it was created as a proof-of-concept to prove it was possible, and then got out of hand." The samples Sophos has seen so far only spread, there is no intentional malicious payload, no sign of creating a botnet or stealing information, Cluley said. "Nevertheless, it's possible that the code could cause incompatibilities on users' computers, or that new variants could emerge in the future with more nefarious designs." SonicWALL's Bilogorskiy calls the virus an abuse of trust. "It doesn't seem to be financially motivated." He agrees that it's likely a proof-of-concept exercise, someone showing off. "But it does point out that you cannot 100 percent trust programs that are written by someone else, and that you should at all times continue to ensure you have up-to-date anti-virus software." Cluley advised the same. "Businesses that may be using software written in Delphi would be wise to check that their anti-virus software is updated. If a W32/Induc-A infection is found in a program, its developers should be contacted immediately – as it's possible that the infection could be passed on to other customers." Cluley added that Sophos had also seen examples of infected programs being distributed via download sites – "presumably without the knowledge of the websites themselves who are assuming the programs to be clean."

What are your thoughts CLICK HERE to leave us a "QUESTION OF THE DAY” comment.

© Copyright 2016, A Quincy Media broadcasting station. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

To submit a comment on this article, your email address is required. We respect your privacy and your email will not be visible to others nor will it be added to any email lists.