Am Samstag, den 22.08.2009, 20:04 +0200 schrieb Mattias Gaertner: > On Sat, 22 Aug 2009 19:50:40 +0200 > Marc Santhoff <[email protected]> wrote: > > > Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch: > > > Some more information on this... > > > > > > Its propgation mode is that it changes sysconst.dcu, and any app > > > compiled and subsequently run on a machine which has delphi > > > installed has its sysconst.dcu infected. Fixing is easy, as your > > > original sysconst.dcu is renamed sysconst.bak, so you just switch > > > it back and make the directory non-writable. > > > > > > Details at: > > > > > > http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 > > > > > > Cheers, Bruce. > > > > > > PS: of course it does not affect Lazarus :-) > > > > > > waldo kitty wrote: > > > > Martin wrote: > > > >> Just something I found: > > > >> > > > >> http://www.h-online.com/security/Virus-infects-development-environment--/news/114031 > > > > In all those decriptions I miss the information on how the manipulated > > sysconst.dcu has entered the system. There has to be some transporting > > mechanism still undetected. > > > > Does anybody know how the infection works? > > It was explained on a german site: > http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679
Very fast as always. :) > Basically it works like this: > If you got infected all your created programs contain the virus. That is the real question for me, where and how did the first infection occur. > Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the > virus. I see, so one of those is suspected to be Patient Zero. It would be interesting to know, how the got the virus. > You as user download and execute the exe and the virus changes > the sysconst.dcu. Apparently the file must be writable by the user and > fit the Delphi version. The nasty trick about the infection is that there is source code injected, not a binary some scanner could detect using signatures. The second link has another one titled "discovered" and leading there: http://www.viruslist.com/en/weblog?weblogid=208187826 Maybe it is time to secure publically available software repos somehow (checksums or similar/more). -- Marc Santhoff <[email protected]> -- _______________________________________________ Lazarus mailing list [email protected] http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
