NEWS FROM THE LAB - Tuesday, August 18, 2009

0wn1ng Delphi Posted by Response @ 03:21 GMT

Here's an interesting move recently found being used by some malware targeting Delphi.

The malware first checks to see if the Delphi version is between 4 to 7, then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas and writes malicious code there. After this, SysConsts.pas is deleted.

The malware saves a clean copy of SysConsts.dcu as SysConst.bak and adds a call to its own init function at the entrypoint of the SysConsts.dcu library.

When a program is compiled with an infected version of SysConsts.dcu, it will have something like the malicious code snippet below:

Delphi Virus

Subsequently, whenever the compiled program is executed, if SysConst.bak is not found the malicious code in the program tries to re-infect Delphi.

In this case, the malware is basically just ensuring that Delphi stays infected. Still, it's another mechanism to spread malware around.

We currently detect this as: Virus.Win32.Induc.a.

The same finding is also reported here (Russian).