14 DAY TRIAL // Even if harmless, the first virus that infects the environment of a programming language has been reported by Kaspersky. The virus scans for a Delphi platform, attaches itself to the embedded compiler and infects any Delphi program compiled from that moment on.
According to Denis Nazarov from Kaspersky Labs, “It doesn't currently have a malicious payload, and it doesn't directly infect .exe files. Instead, it checks if Delphi is installed on the victim machine […] The result – any Delphi program compiled on the computer gets infected.”
The virus is currently detected by Kaspersky, F-Secure and Ikarus as “Virus.Win32.Induc.a,” while McAfee sees it as “W32/Induc” and “Generic!Artemis.” The virus currently infects the Delphi platform versions 4.0, 5.0, 6.0 and 7.0, and has not been classified as a threat to any machine up to this moment. Other antivirus software vendors have been informed of this new threat.
W32.Induc will first scan the system for a necessary Delphi version, and, if the scan is successful, it will copy the SysConst.pas to the \Lib folder and will write its code inside. It will then go on to copy SysConst.dcu and make a backup of that file, while the SysConst.pas is compiled, resulting in an infected version of SysConst.dcu that will replace the original file. After compiling, the .pas file will be deleted to remove any infection tracks.
From that moment on, the Delphi compiler will embed a form of the virus in any program compiled in it. Experts are stating that, even if not dangerous, this is just a primitive version of a super-virus. W32.Induc has limitless possibilities, since its methods of propagation rely on a development environment and not on an operating system.
Until now, Delphi-based pieces of software like Any TV Free 2.41 and Tidy Favorites 4.1 have been infected by this harmless virus. Nick Bilogorskiy, manager of antivirus researchers at Sonicwall, said that, “As many as 30 percent of developers who use Delphi have this.”