New virus infects programs built with Delphi

Researchers said on Tuesday that they are seeing something unusual in the malware world--a virus that targets a development environment.

The virus, dubbed Win32.Induc, was written to infect applications built with Delphi, according to Nick Bilogorskiy, manager of antivirus researcher at Sonicwall. Delphi is used to write Windows programs, including database applications.

When an infected program is run on a machine running Delphi, the virus infects any software that gets compiled on that machine. The virus spreads the executable file of itself as well as the source code. It looks for a compiler on the infected system and re-compiles the source code, inserting its code into any programs compiled on the system.

"This malware just spreads; it doesn't delete files or do anything malicious," he said. "But if you create software and you have this code in it, the software will be blocked by antivirus (technology)."

Developers whose systems are infected will pass the infection on to the programs they are creating, Bilogorskiy said.

Already, two free tools that are included in certain magazine CDs and are among the top 100 downloads on some portals--Any TV Free 2.41 and Tidy Favorites 4.1--have been infected, he said. "As many as 30 percent of developers who use Delphi have this," he added.

Sonicwall and a number of antivirus vendors have updated their software to block the virus.

Sophos has more details on its SophosLabs blog.

[SIGHUP]

All version?

[monkeyfun14]

Okay so it does nothing? You know tbh the developers goal was probably to get the file blocked by AV's so the programs it infects won't run
That's the damage.

[tektaktyks]

please,we all know that apple is writing those so they can claim they have better os...

[baconstang]

Dude, you are clinical.

[Dalkorian]

LOL! Thanks tektaktyks, that was really funny!

[benjwah]

I thought Delphi died out years ago.

[j0nnysmith]

Me to but it s a good program I learn it in High school nice in any case the av I have don t let it make a mass Bitdefender 2010 because I upgraded it so it a all good when it s all safe people;) I m curios to run one more time Delphi now;))

[BruceMcGee]

Not so much. It's still pretty widely used.

[Ted Miller]

From CNet there are to good programs that Sophos picked on that where indeed false positives. Both from the same vender. One is "Wise Disk Cleaner" and the other is "Wise Registry Cleaner". I believe that both of these programs are fine, and had "so, so" reviews by CNet (3.5 Stars).

First, I would like to say that I think Sophos is a very good anti virus, but they like many others become what you can call analware, because the two programs that I mentioned where not the only false positives that I recieved from them. There where indeed many others, as I am a major collector of software. I really think that many of these antvirus utilities should work a littlle harder to correctly identify what is and what is not a virus. Especially those that take your money for their services.

[RichardCohen_Sophos]

Ted, if you think there's an FP then please send us a sample via https://secure.sophos.com/support/samples. However I've just done a quick check and we do have copies of both of those products that *are* infected with W32/Induc-A - if you run them on a system with Delphi installed, then you *will* get infected.

http://www.sophos.com/blogs/gc/g/2009/08/19/w32induca-spread-delphi-software-houses/ talks about this some more - if you find W32/Induc-A in a file from a 3rd party, you should speak to the developers to help them stop spreading the virus.

[StuartClennett]

The article neglects to mention that it only affects Delphi up to version 7. We are now on Delphi 2009 (v12) with 2010 (v13) just around the corner. So my guess is the majority of infections will be with those that haven't been able to afford the upgrade, hence shareware and freeware writers.

And for the uninformed that think the *only* development environment is Visual Studio, check out this link:

http://delphi.wikia.com/wiki/Good_Quality_Applications_Built_With_Delphi

Peace.

Stu

[Former Big Iron Guy]

Unfortunately, there are a heck of a lot of legacy Delphi applications still in production in versions 7 and prior. I see this most often in small Delphi shops where the compiler system was used to build corporate applications that could not be purchased anywhere, off-the-shelf. The compilers live in the developer environment and may even have source repositories. The repositories as well as the developer workstations are often run at administrator levels, which is a normal development requirement, but leave the workstation open to being infected.
Hopefully, corporate strength security will prevent problems in such shops, but don't hold your breath.

Been there, had it done to me.