Sunday, August 23, 2009

Are you affected by the Virus?

Hi folks,

Here is how you can check if your system is affected by the virus.
1. If you don't have Delphi 5, Delphi 6 or Delphi 7 on your system, you are not affected.
2. If you have Delphi 5-7 installed, check the $(Delphi)\Lib directory for SysConst.bak file.
If the SysConst.bak is not there, your system is not infected.

If you are infected here are the steps you can take to disinfect the system.
1. If you have downloaded the Delphi version of the libraries version 4.0.1 please download updated version 4.2 Prerelease 4 from .
2. Delete the $(Delphi)\Lib\SysConst.dcu
3. Rename $(Delphi)\Lib\SysConst.bak to $(Delphi)\Lib\SysConst.dcu
4. Use an anti-virus scanner to scan your system for any other executables that may contain the compiled code.
Currently only some of the anti-virus software applications detect the virus. The online PandaSoftware scanner does not detect it as of today. I have detected it with Avast - as it seems to be the first AV package to detect this virus.
Avast has free 60 days trail, and can be used to detect any infected executable. There should be very small number of those since the virus does not infect executables, and only modifies the SysConst.dcu file.
Once again, we are really sorry for the problems, but we had no way of detecting the presence of the malicious code since no anti-virus software was able to detect it :-( .

With best regards,
Boian Mitov


Frederico said...

Looks like I'm one of lucky ones to have the virus in my delphi (7)...
I've done all the steps that you mentioned in the article but the version 4.2 Prerelease 4 have all the EXE files infected (my antivirus program, Avira, detected "W32/Induc.A" in all EXE files).
So I would like to ask if this package is going to make the same that the last one.

Boian Mitov said...

Hi Frederico,

Before installing 4.2 P4 delete the LabPacks directory from the previous install.
The warning is actually a bug in the antivirus program. It detects the virus in the old file that is in about to be overwritten by the install.
Doing a clean install will result in no virus warning.