Some days ago, we found a virus, dubbed as W32.Induc.PE, using a new file injection technique: injection at compile time. It sounds incredible but the virus is able to do that taking advantage of Delphi compiler.
Once Borland Delphi is installed, you will find a lot of source code files of Delphi’s lib, unit, etc. in the folder “%Delphi Path% \ Source”. Induc appends its malicious code to SysConst.pas, one of these source code files. Consequently, when a file written with Delphi is compiled in an Induc infected system, virus code will be inserted by the compiler itself.
A piece of virus source code
According to our analysis, once activated, Induc searches for Delphi (version 4.0 to 7.0) setup folder and at the same time checks the existence of file sysconst.bak in the folder “%Delphi Path% \ lib \”. If this file exists, meaning that the computer has already been infected, the virus will exit without doing anything.
Induc-infected Delphi’s Lib folder
To infect Delphi compiler, Induc first backups file “%Delphi Path% \ lib \sysconst.dcu” as “%Delphi Path% \ lib \ sysconst.bak” and appends malicious code to file “%Delphi Path% \ Source \ Rtl \ Sys \ SysConst.pas”. Then it uses Delphi Pascal Compiler, dcc32.exe, to recompile sysconst.dcu from SysConst.pas, an infected source file.
One particular note of interest is that Induc, like nasty Conficker worm (the worm exploiting MS08-067 vulnerability not long ago), only spreads (by compiling Delphi’s files) but there is no malicious payload.
In response to this virus, some antivirus vendors choose to delete infected files and recommend users to contact their program manufacturer for a clean version. As for us, we choose to disinfect the Induc infected file while still ensure the program’s normal function. You can update or download the latest Bkav version at http://www.bkav.com.vn/home/DownloadE.aspx to clean this virus.
By Nguyen Cong Cuong, Senior Malware Researcher