FAQ about the W32/Induc-A Virus (Compile-A-Virus)
24 Aug
We posted an FAQ about the W32/Induc-A Virus. Hopefully it will answer those, well, questions that are frequently getting asked. :-) The virus is easy to detect and easy to fix and easy to prevent.
To highlight a few things:
- This only affects older versions of Delphi – versions 4 – 7 specifically.
- The virus isn’t malicious; it doesn’t actually do anything other than replicate itself. It is really easy to remove, as the FAQ describes.
- The particular technique used by the virus isn’t specific or unique to Delphi. It can be used against almost any programming environment. As Craig Stuntz notes in his blog, this technique was first described 25 years ago.
- There is a lot of press interest in this, and rightly so. Delphi is a very popular development environment with over 1.7 million users world-wide. Naturally such a virus will garner attention.
- Just another reminder to keep your anti-virus software current and up to date.
Careful with that "this virus isn’t malicious" assertion. Every virus is malicious. One that doesn’t do anything immediately harmful is still doing something very important: functional testing.
Like the original email worms from several years back that just showed harmless, inane messages, they also provide useful feedback to the authors as to what techniques do and don’t work, and how effective they are. The compile-a-virus that’s going to do real damage is a few generations away.
August 24th, 2009 at 8:19 am(Ack! I must have messed up the close italics tag after the word "every". I wish I could edit comments on here…)
August 24th, 2009 at 8:20 am> then the most effective way to ensure that you don’t
> get the virus is to move your copy of DCC32.EXE to a
> different directory.
Yeah, that is also the most effective way to get into trouble with 3rd party installers that want to compile something.
August 24th, 2009 at 8:26 amI should have read further:
> To be absolutely safe, you can do a file compare between your
> \lib directory and the \lib directory on the install image
> on your CD.
Ever hear of updates that were downloaded from the web? My Delphi 7 lib directory doesn’t match the one on the Installation CD. Guess why. I have installed all Delphi 7 updates.
August 24th, 2009 at 8:31 amIn that case, create a copy of the recent updated lib dir and put it on a pendrive and compare with it. Main D7 install occupies only a cd, anyway………
August 24th, 2009 at 9:15 amGosh - never knew that thru was indeed a valid English word, but it is!
http://dictionary.reference.com/browse/thru
Never too old to learn something new
–jeroen
August 24th, 2009 at 10:20 am> Just another reminder to keep your anti-virus
> software current and up to date.
Not really, considering that this virus flew under the radar for months, possibly years, before anyone noticed it.
August 24th, 2009 at 10:34 amHaving criticised Embarcadero’s choice of language in previous responses to this issue, I think it only fair that I applaud this final result.
I think this strikes the right balance of "this is a serious issue, but it’s not something to be too concerned about", plus a simple laying out of the facts.
With what I would consider the ill-advised and inflammatory commentary previously emanating from some quarters w.r.t this issue, I can only hope that *this*, more measured response is received as the appropriate response (as it should be) and not perceived as an attempt to downplay the issue.
August 24th, 2009 at 10:50 amSpeaking of virus, Avira Antivir claims that D2010 installation contains a virus.
Virus or unwanted program ‘DR/Delphi.Gen [dropper]‘
August 25th, 2009 at 12:38 amdetected in file ‘C:\TEMP\myah\core\A1D6B1FD\convert.exe.
The tool from http://www.gsa-online.de/eng/delphi_induc_cleaner.html could remove the virus Win32/Induc.A virus from the executables and leave it runnable.
August 25th, 2009 at 5:07 amIn case you have only the executable and no source to recompile it.
It is ironic that Andreas Hausladen’s name is floating out there with the virut virus. Every time I boot his name pops up on my fire wall trying to get on the ‘net. Following that a couple of *.tmp files pop up also along with 3 porno jpg’s on the desktop.
If he works for Embarcadero, there should be an investigation and report. If it is him, he should be placed in solitary for the next 20 years.
November 19th, 2009 at 5:40 pm@doug perhaps you should retract your baseless and insulting accusation while you still can. If anyone deserves punishment it is you - you should be stripped of your job and not allowed to have a computer on the grounds that only somebody who is truly incompetent would catch that virus. Even worse you aren’t able to disinfect yourself!
November 19th, 2009 at 8:55 pm