Delphi-PRAXiS
Seite 1 von 19  1 2311     Letzte » 

Delphi-PRAXiS (https://www.delphipraxis.net/forum.php)
-   Die Delphi-IDE (https://www.delphipraxis.net/62-die-delphi-ide/)
-   -   Virus infects Delphi (https://www.delphipraxis.net/138595-virus-infects-delphi.html)

Andy BitOff 13. Aug 2009 10:21


Virus infects Delphi
 
A new virus infects Delphi installations.
Infected program searches for installed versions of Delphi and modifies SysConst.dcu in each of them; old version is saved as SysConst.bak.
After infection all Delphi projects compiled on this computer start infecting Delphi at every computer they are launched on. The virus does not cause any harm except “Runtime error 3” exception which appears when infected program is launched if registry key HKEY_LOCAL_MACHINE\SOFTWARE\Borland\Delphi\x.0 (x =4–7) contains wrong RootDir value.

Check your Delphi versions and if you find SysConst.bak then do the following:
1. Remove SysConst.dcu
2. Copy SysConst.bak to SysConst.dcu. The remaining SysConst.bak keeps system from repeated infections.

The virus does nothing, only distributed. Here is the code

Delphi-Quellcode:
uses windows;

var sc:array[1..24] of string=('uses windows; var sc:array[1..24] of string=(',
'function x(s:string):string;var i:integer;begin for i:=1 to length(s) do if s[i]',

*SNIP*  // we do not want the full code here

'1; while c[i]<>#0 do begin r:=r+c[i];inc(i);end;re(r+$\source\rtl\sys\SysConst$+',
'$.pas$,r+$\lib\sysconst.$,$"$+r+$\bin\dcc32.exe" $);end;RegCloseKey(k);end; end;',
'begin st; end.');
.

[edit=Admin]reduced the code ... we do not need a fully working example here. Mfg, Daniel[/edit]

Mithrandir 13. Aug 2009 10:59

Re: Virus infects Delphi
 
Thanks for dropping a post on this issue. :thumb:

But, is this Virus already "in the wild"? Anything known about the origin? Didn't find any non-russian info on this topic...

Andy BitOff 13. Aug 2009 11:15

Re: Virus infects Delphi
 
Zitat:

Zitat von Daniel G
Thanks for dropping a post on this issue. :thumb:

But, is this Virus already "in the wild"? Anything known about the origin? Didn't find any non-russian info on this topic...

Unfortunately not. Information about it came only two days ago due to examine the error Runtime error 3 has appeared in one user even in the month of May.
It is also known that they are infected with QIP 8094 and AIMP 2 Beta Build 470
More there is no information.


.

Andy BitOff 13. Aug 2009 11:41

Re: Virus infects Delphi
 
To quickly determine which files are infected with the virus, you can simply start the search all files on all drives containing, for example, the line "CreateFile(pchar(d+$bak$),0,0,0,3,0,0)" (without the quotes, of course).


Fixed.
String for search should be no spaces.



.

jaenicke 13. Aug 2009 12:40

Re: Virus infects Delphi
 
Well, as this virus only infects rather old versions of Delphi it is not really a big problem. ;-)

And if the system is configured well, it has no chance to modify the Delphi installation. If one gives write access to the program files dir or works as admin (and under Vista without UAC), then one has to blame himself for making this decision.

Andy BitOff 13. Aug 2009 13:13

Re: Virus infects Delphi
 
Zitat:

Zitat von jaenicke
Well, as this virus only infects rather old versions of Delphi it is not really a big problem. ;-)

And if the system is configured well, it has no chance to modify the Delphi installation. If one gives write access to the program files dir or works as admin (and under Vista without UAC), then one has to blame himself for making this decision.

Surely.
However, not all do so. He does not do anything serious. Just information.


.

Sherlock 13. Aug 2009 13:58

Re: Virus infects Delphi
 
It seems to be in the wild. Googling for the recommended searchstring results in a few pages. [google]CreateFile(pchar(d+$bak$),0,0,0,3,0,0)[/google]
Right here: http://forum.cheatengine.org/viewtop...8c403c0a65cbc5 it was discovered on April 21st.

Sherlock

Sherlock 18. Aug 2009 08:50

Re: Virus infects Delphi
 
And here is a comment by Kaspersky about it:
http://www.viruslist.com/en/weblog?weblogid=208187826

Sherlock

himitsu 18. Aug 2009 10:25

Re: Virus infects Delphi
 
also nett ist ja, daß diese "Virus"-Version ein Backup anlegt und er sich so leicht entfernen läßt

in die C:\Programme\Borland\Delphi7\Source\Rtl\Sys\SysConst.pas braucht man nicht reinschauen, da er ja eine kopie anlegt, diese ändert, kompiliert und wieder löscht

also einfach schauen, ob eine C:\Programme\Borland\Delphi7\Lib\SysConst.bak vorhanden ist.

die danebenliegende SysConst.dcu löschen und das .bak in .dcu umbennen

Mithrandir 18. Aug 2009 10:30

Re: Virus infects Delphi
 
Ich fürchte nur, es wird nicht lange dauern, bis Versionen auftauchen, die eben auf diese *.bak verzichten...


Alle Zeitangaben in WEZ +1. Es ist jetzt 09:28 Uhr.
Seite 1 von 19  1 2311     Letzte » 

Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO © 2011, Crawlability, Inc.
Delphi-PRAXiS (c) 2002 - 2023 by Daniel R. Wolf, 2024 by Thomas Breitkreuz