|
Virus infects Delphi
A new virus infects Delphi installations.
Infected program searches for installed versions of Delphi and modifies SysConst.dcu in each of them; old version is saved as SysConst.bak. After infection all Delphi projects compiled on this computer start infecting Delphi at every computer they are launched on. The virus does not cause any harm except “Runtime error 3” exception which appears when infected program is launched if registry key HKEY_LOCAL_MACHINE\SOFTWARE\Borland\Delphi\x.0 (x =4–7) contains wrong RootDir value. Check your Delphi versions and if you find SysConst.bak then do the following: 1. Remove SysConst.dcu 2. Copy SysConst.bak to SysConst.dcu. The remaining SysConst.bak keeps system from repeated infections. The virus does nothing, only distributed. Here is the code
Delphi-Quellcode:
.
uses windows;
var sc:array[1..24] of string=('uses windows; var sc:array[1..24] of string=(', 'function x(s:string):string;var i:integer;begin for i:=1 to length(s) do if s[i]', *SNIP* // we do not want the full code here '1; while c[i]<>#0 do begin r:=r+c[i];inc(i);end;re(r+$\source\rtl\sys\SysConst$+', '$.pas$,r+$\lib\sysconst.$,$"$+r+$\bin\dcc32.exe" $);end;RegCloseKey(k);end; end;', 'begin st; end.'); [edit=Admin]reduced the code ... we do not need a fully working example here. Mfg, Daniel[/edit] |
Re: Virus infects Delphi
Thanks for dropping a post on this issue. :thumb:
But, is this Virus already "in the wild"? Anything known about the origin? Didn't find any non-russian info on this topic... |
Re: Virus infects Delphi
Zitat:
It is also known that they are infected with QIP 8094 and AIMP 2 Beta Build 470 More there is no information. . |
Re: Virus infects Delphi
To quickly determine which files are infected with the virus, you can simply start the search all files on all drives containing, for example, the line "CreateFile(pchar(d+$bak$),0,0,0,3,0,0)" (without the quotes, of course).
Fixed. String for search should be no spaces. . |
Re: Virus infects Delphi
Well, as this virus only infects rather old versions of Delphi it is not really a big problem. ;-)
And if the system is configured well, it has no chance to modify the Delphi installation. If one gives write access to the program files dir or works as admin (and under Vista without UAC), then one has to blame himself for making this decision. |
Re: Virus infects Delphi
Zitat:
However, not all do so. He does not do anything serious. Just information. . |
Re: Virus infects Delphi
It seems to be in the wild. Googling for the recommended searchstring results in a few pages. [google]CreateFile(pchar(d+$bak$),0,0,0,3,0,0)[/google]
Right here:  http://forum.cheatengine.org/viewtop...8c403c0a65cbc5 it was discovered on April 21st.Sherlock |
Re: Virus infects Delphi
And here is a comment by Kaspersky about it:
http://www.viruslist.com/en/weblog?weblogid=208187826Sherlock |
Re: Virus infects Delphi
also nett ist ja, daß diese "Virus"-Version ein Backup anlegt und er sich so leicht entfernen läßt
in die C:\Programme\Borland\Delphi7\Source\Rtl\Sys\SysConst.pas braucht man nicht reinschauen, da er ja eine kopie anlegt, diese ändert, kompiliert und wieder löscht also einfach schauen, ob eine C:\Programme\Borland\Delphi7\Lib\SysConst.bak vorhanden ist. die danebenliegende SysConst.dcu löschen und das .bak in .dcu umbennen |
Re: Virus infects Delphi
Ich fürchte nur, es wird nicht lange dauern, bis Versionen auftauchen, die eben auf diese *.bak verzichten...
|
| Alle Zeitangaben in WEZ +1. Es ist jetzt 11:54 Uhr. |
Powered by vBulletin® Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO © 2011, Crawlability, Inc.
Delphi-PRAXiS (c) 2002 - 2023 by Daniel R. Wolf, 2024 by Thomas Breitkreuz