There have been a continuous detection of incidents where a specific library (SysConst) of one of the programming languages developed by Borland called Delphi (version 4.0 to 7.0) was maliciously modified so that EXE and DLL files compiled would have virus codes infected to them, and there special attention is requested for Delphi program developers.
Below is the same infected file which was analyzed by Virus Total on July 4th and August 19th. It can be seen that in July, few companies detected the file as a virus, but by August many companies are recognizing the virus.
The file used for the analysis was a Korean music player’s Uninstall.exe (UPX execution format) file.
MD5 : 38fb61b98dd46c7947f5f3aa6c9a3252
SHA256 : 8919489a83222206a8f582bf38612d925c619fd58196de66660ba0134074283f
Therefore it can be concluded that the infected file was being spread by the beginning of July.
[Scan Result of July 4th 2009]
[Scan Result of August 19th 2009]
This virus is defined as Win32.Induc.A or Virus.Win32.Induc.a, and if the Delphi development environment is infected, all newly developed programs will include and distribute the virus.
The characteristic of the virus is that unlike other existing computer viruses, this virus doesn’t find other executable files such as EXE, DLL, and SCR to infect them and spread in that way.
Also, the implications of this virus are great because of the fact that unintended malicious codes are included in the outcome from the development design stage, and that it is a crucial threat to security.
Furthermore, when the program developer completes an infected program, the developer may intentionally compress and encode the file for security reasons and as a result create new variations of the malware.
Therefore the need for various Anti-Virus capabilities may arise.
According to what has currently been verified by INCA Internet Security Response Center (ISARC), it seems that a music player program registered in a famous Korean data sharing website has been infected and has been spreading the virus to end users through downloads.
The following screen shows the inner code of an actually infected file, and it shows that a virus execution code is included.
1. Check the following registry keys to see if the Delphi product (version 4.0~7.0) is installed.
2. Check the directory of the file that Delphi is installed in.
Ex) RootDir - C:\Program Files\Borland\Delphi7
3. Check for the SysConst.pas file in the path that Delphi is installed.
Ex) C:\Program Files\Borland\Delphi7\source\rtl\sys\SysConst.pas
4. If the file exists, copy it to the Lib folder while injecting a virus command to the source code.
Ex) C:\Program Files\Borland\Delphi7\Lib\SysConst.pas
5. Save the original SysConst.dcu file in the Lib folder as a backup file called SysConst.back.
6. Execute the DCC32.EXE and compile to infected source code file (SysConst.pas) to produce an infected SysConst.dcu file.
7. If an infected SysConst.dcu file is made, the infected SysConst.pas source code file is deleted.
* Inner image of an infected DCU file
8. Through the Delphi Complied Unit file, all future builds (compilations) through the Delphi program will include the the virus.
9. The infected file may go through packing through various execution compression programs (UPX, Upack, PECompact, ect.) through the programmer or have their file structure modified while becoming an installer.
[Modified DCU Manual Solution]
* The SysConst.dcu file modified by the virus code injection can be manually repaired through the following method.
File Before Infection: C:\Program Files\Borland\Delphi7\Lib\SysConst.bak
File After Infection: C:\Program Files\Borland\Delphi7\Lib\SysConst.dcu
Delete the infected modified SysConst.dcu file, and rename the Sysconst.bak file as SysConst.dcu.
Repair other infected EXE and DLL file through Anti-Virus software and request for developers to distribute a clean rebuild.
[Written by Chong-Hyun Moon, Security Response Team Manager of INCA Internet]