Virus that attacks Delphi library units

[Kambiz]

Antivirus experts have found an odd virus that attacks Delphi library units to get compiled into your programs. The W32/Induc-A virus doesn't affect executable files, but looks for a Delphi installation (apparently versions 5, 6 and 7), modifies SysConst.pas (backing up the original) and gets compiled by Delphi into your own programs, to keep spreading.

Read the rest of article in Marco Cantu's blog: http://blog.marcocantu.com/blog/virus_a ... elphi.html

[HPW]

Unfourtunatly neosoft's and my development system gets infected with the W32/Induc-A in 04/05.2009 !
After getting the first info about it a few days ago we had to react fast to get updates out, because many Antivirus-Software
now start to find it.

So after recompiling each of my plugins, we are back on normal duty.

A sad thing for delphi and it's community!

[Kambiz]

My computer is infected too, and I don't now how to get rid of it.

[HPW]

Sorry for late reply.

Look in your delphi /Lib folder for the SysConst.bak
When it is there you will see that it is smaller than the current SysConst.dcu
The BAK is the clean old version.
Copy the bak over SysConst.dcu so you have 2 identical files. (BAK+DCU)

Then you can recompile all your stuff with the clean delphi.
The virus in other EXE checks the presents of the bak and does no more action.
Another security action is then to set the directory lib to write-protected.

[Kambiz]

Thank you!