18 August, 2009

Check your Delphi’s installation – it may be infected

First of all, a brief disclaimer:
This is not a notice about virus in EurekaLog! Please, do not misread/misunderstand this blog’s post.

May be EurekaLog’s blog is a bit unsuitable for this kind of post, but I decided to post it here anyway. The reason for this is that this threat is quite new, so not all anti-viruses can detect it (I’m aware only of Kaspersky’s anti-virus), it appears that large part of Russian Delphi’s developers are infected with this thing (not sure about other communities), and, finally, I’ve spotted a suspicious support tickets, that may be caused by this.

If your anti-virus suddenly started to yell at almost all of your applications – be on guard. There are high chances that this is not false-positive alert!

Okay, done with pre-cautions, now lets get down to business.

Okay, what is it?

Almost a week ago I’ve discovered quite interesting self-replicated piece of Delphi’s code. I can not call it other than “virus”. It first appears on Russian Delphi programming forum, on the question related to strange unexplained runtime error 3. Few people spotted that a certain application has something to do with it: it modifies your Delphi installation at each launch. But nobody digged depper, so I took a look at it. And found this, what is now called "Virus.Win32.Induc.a" or similar.

This thing does the following:
  • It checks registry to see if there are any Delphi installed (it checks only for Delphi 4-7).

  • For each founded instance of Delphi:

    1. It makes a copy of SysConst.pas file and inject itself into it.

    2. It compiles new SysConst.pas and places new infected dcu-file into Lib folder.
That way, any application, that you’ll compile using this Delphi, will now have a virus on board. Infected applications will hunt for un-infected Delphi’s installations, infect them, and those infected Delphi will compile infected applications, which will look for another Delphis and so on...

Am I infected?

Open SysConst.dcu file in notepad (or view it via F3 in any two-panels file manager) and search for “CreateFile(pchar(d+$bak$),0,0,0,3,0,0);” string (without quotes). If there are any matches – then your Delphi is infected.

If you want to know more details about it – just go googling for it or check out my personal blog’s entry directly (sorry, folks, it’s in Russian, here is machine’s translation).

This simple test targets only this specific virus. If you want know for sure, that no other virus of such kind hadn’t messed with your Lib folder – then the most reliable way is to compare Lib folder with distributive’s one. Install Delphi on clean machine or VM. Apply the same patches/updates, that are installed on your machine. And then compare/sync \Lib and \Source folders in two Delphi’s installations. If there are any differences and you do not change anything there – then your Delphi is infected.

How can I delete this [censored]?

You probably want to delete all infected files first. Just run file search for all files with “CreateFile(pchar(d+$bak$),0,0,0,3,0,0);” line in them. Delete all found files.

Now it’s Delphi’s turn: just reinstall it. It should be enough.

There is no simple way to remove bad code from already compiled applications manually. You should rebuild all of your applications.

Are there any known affected applications?

Well, infection was confirmed for such applications as: Miranda (Delphi’s plug-ins), QIP, AIMP, Infinity Box. Those are quite popular in Russia. And those are only “Big Names” ones. And I’m not the first, who detected it. For example (quite funny dialog, BTW). Those people just wasn’t persistent enough to push it to the end. Nobody has realized that this is a well-spread virus.

Is it serious?

Depends on what you’re asking about.

If you want to know about this particular virus, then the answer is: NO. This thing does nothing, except replicating itself.

If you ask about any threat of such sort, then the answer is probably: YES. Well, at least it’s so for Delphi’s developers. Look, that thing was here for few years and nobody didn’t notice it. It was detected only because it is buggy (see below). What if there are other such things lives on our Delphi’s out there? They may be not such innocent, as this one, and may be bug-less, so it’s harder to notice. Developers often tends to work in “weaker” environment: i.e. with UAC off, under administrator account, with disabled A/V, etc, etc. Those conditions are like heavens for viruses.

Any support from anti-viruses?

I’ve sent an example to Kaspersky’s Lab and Symantec. The Kaspersky’s anti-virus now detect this virus as Virus.Win32.Induc.a. As for the Symantec, there was a reply: "D:\VMWareShared\Project1.exe contains no malicious code, although it may be a nuisance. It is safe to delete this file". So, Symantec’s anti-virus is unable to detect this threat at the current moment. I’m not aware of other anti-virus software, that can detect it.

Note, that this "assistance" from anti-viruses is not enough. If you just recompile this thing under Delphi 2009 - then every anti-virus will put a "passed"/"all clean" mark on your exes. Again: nobody notices. And think: if there will be other modifications?

How to stay protected?

You may want to create \Lib\SysConst.bak file (file's content doesn't matter) to prevent further infections. This particular virus creates a backup copy of dcu-file before infection and uses it as "infection completed" flag (such a nice guy, eh?). So, if you create SysConst.bak manually - this will prevent virus from messing with dcus, as it will think that his work is done here.

But I afraid that the only 100%-reliable way to be protected is to keep an eye on your Delphi’s folder. Just do periodic compares with backup’s copy. I’m not sure if it is an overkill, but putting it in SVN may be not-so-bad idea. If your anti-virus software has some sort of file-changes-tracking capabilities – then you’d better put \Lib and \Source folder under it's control.

What runtime error 3 has to do with all of this?

Well, this virus has an error in its code. Infected applications will crush with “Runtime error 3” on machines, which have invalid or damaged Delphi’s registry entries (for example: you’ve uninstalled or upgraded Delphi). No, EurekaLog is unable to catch it, because virus inject itself into SysConst unit – it is executed far before any code from EurekaLog is able to run.

No comments:

Post a Comment

You can use some HTML-tags like:

<b>Bold</b>
<i>Italic</i>
<a href="http://www.example.com/">Link</a>