Security Researchers Find Virus Targeting Delphi Programs

Security researchers have uncovered a virus with a rare modus operandi—it infects applications written in the Delphi programming language at compile time. 

The malware, detected as W32/Induc-A by Sophos, inserts itself into the source code of any Delphi program it finds on an infected computer. It then compiles itself into a finished executable. Right now, the virus does not have a malicious payload and appears to be focused on simply propagating itself. 

“Because a lot of Delphi installations, including manufacturers of pretty popular software packages, got infected, this is getting downloaded by the user. … People simply find, download and install QIP [chat client] or AIMP or 'Tidy Favorites' or 'Any TV Free' or some other Delphi utility, and by running it they get infected by the embedded virus,” explained Nick Bilogorskiy, manager of anti-virus research at SonicWall. 

When a file infected with W32/Induc-A finds a program written in Delphi, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu. This new, infected SysConst.dcu file will then add virus code to every new Delphi file that gets compiled on the system.

Over at Sophos, researchers received more than 3,000 unique samples of programs infected with the virus in the wild by Aug. 19. This indicates the malware has been active for some time, blogged Graham Cluley, senior technology consultant at Sophos. It is also likely that a number of software houses specializing in developing applications with Delphi are infected, he added.

"Delphi is frequently used to create bespoke software, either by small software houses or by internal teams,” wrote Cluley. “If you believe that you may be using software written in Delphi, you would be very wise to ensure that your anti-virus software is updated. Actually, regardless of whether you use Delphi-written apps, that's a good idea.”