On Sat, 22 Aug 2009, Mattias Gaertner wrote:
On Sat, 22 Aug 2009 20:22:14 +0200 (CEST)
Michael Van Canneyt <[email protected]> wrote:
On Sat, 22 Aug 2009, Mattias Gaertner wrote:
On Sat, 22 Aug 2009 19:50:40 +0200
Marc Santhoff <[email protected]> wrote:
Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch:
Some more information on this...
Its propgation mode is that it changes sysconst.dcu, and any app
compiled and subsequently run on a machine which has delphi
installed has its sysconst.dcu infected. Fixing is easy, as your
original sysconst.dcu is renamed sysconst.bak, so you just switch
it back and make the directory non-writable.
Details at:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99
Cheers, Bruce.
PS: of course it does not affect Lazarus :-)
waldo kitty wrote:
Martin wrote:
Just something I found:
http://www.h-online.com/security/Virus-infects-development-environment--/news/114031
In all those decriptions I miss the information on how the
manipulated sysconst.dcu has entered the system. There has to be
some transporting mechanism still undetected.
Does anybody know how the infection works?
It was explained on a german site:
http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679
Basically it works like this:
If you got infected all your created programs contain the virus.
Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the
virus. You as user download and execute the exe and the virus
changes the sysconst.dcu. Apparently the file must be writable by
the user and fit the Delphi version.
As I understood it, it modified the .pas file, and placed the
modified file in the LIB directory (where the .dcu is located), thus
causing the file to be recompiled and included every time one
compiles a program. The Delphi version was irrelevant.
Where do got that from?
http://www.sophos.com/blogs/sophoslabs/v/post/6195
They speak of
"Sophos has issued Genotype detection (Mal/Induc-A, Mal/Induc-B) for all
infected versions of SysConst.dcu and SysConst.pas that we are aware of."
See also
http://www.sophos.com/blogs/sophoslabs/?p=6117
"When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi
installation on the current machine. If it finds one, it tries to write malicious
code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old
copy of this file to SysConst.bak). The new infected SysConst.dcu file will then
add W32/Induc-A code to every new Delphi file that gets compiled on the system -
some of the strings from the inserted code look like this:"
They provide a look of the sysconst.pas file after infection.
Does the lazarus windows installer install writable ppus?
AFAIK, it must, otherwise Lazarus cannot be recompiled ?
?
Since years lazarus checks if the directory is writable and if not uses
its config directory \bin as output directory.
Ah. I didn't know that :-)
In each case, if it works on the source level, there is nothing to be
done.
Clever trick, however you look at it :-)
If you try that with fpc you get:
PPU Loading /usr/lib/fpc/2.3.1/units/i386-linux/rtl/sysutils.ppu
Recompiling sysutils, checksum changed for sysconst
Fatal: Can't find unit sysutils used by Classes
Probably the author found a way to keep the checksum ?
Michael.
--
_______________________________________________
Lazarus mailing list
[email protected]
http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
