Compile-a-virus – W32/Induc-A

Here’s something you don’t see every day – a virus that infects Delphi files … at compile-time.

When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system – some of the strings from the inserted code look like this:


If you find detections of this in 3rd-party software, you might want to contact your suppliers to let them know they need to have a look at their system … and also take care to check machines you might have with Delphi installed.

There’s a classic paper called Reflections on Trusting Trust, that concludes that you can’t trust code that you didn’t write yourself from the very lowest level – this is a great example of where compiling the code yourself doesn’t necessarily mean that it’s clean.

Update: Please be aware – this virus isn’t just a threat if you are a software developer who uses Delphi. It’s possible that you are running programs which are written in Delphi on your computers, and they could be affected. Sophos has received thousands of reports of programs infected by W32/Induc-A. Learn more on Graham Cluley’s blog.