[Lazarus] delphi - virus

Michael Van Canneyt michael at freepascal.org
Sat Aug 22 20:22:14 CEST 2009

On Sat, 22 Aug 2009, Mattias Gaertner wrote:

> On Sat, 22 Aug 2009 19:50:40 +0200
> Marc Santhoff <M.Santhoff at web.de> wrote:
>> Am Freitag, den 21.08.2009, 11:08 +1000 schrieb Bruce Tulloch:
>>> Some more information on this...
>>> Its propgation mode is that it changes sysconst.dcu, and any app
>>> compiled and subsequently run on a machine which has delphi
>>> installed has its sysconst.dcu infected. Fixing is easy, as your
>>> original sysconst.dcu is renamed sysconst.bak, so you just switch
>>> it back and make the directory non-writable.
>>> Details at:
>>> http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99
>>> Cheers, Bruce.
>>> PS: of course it does not affect Lazarus :-)
>>> waldo kitty wrote:
>>>> Martin wrote:
>>>>> Just something I found:
>>>>> http://www.h-online.com/security/Virus-infects-development-environment--/news/114031
>> In all those decriptions I miss the information on how the manipulated
>> sysconst.dcu has entered the system. There has to be some transporting
>> mechanism still undetected.
>> Does anybody know how the infection works?
> It was explained on a german site:
> http://www.heise.de/newsticker/Virus-infiziert-Entwicklungsumgebung-Update--/meldung/143679
> Basically it works like this:
> If you got infected all your created programs contain the virus.
> Namely the programmers of Free 2.41 und Tidy Favorites 4.1 had the
> virus. You as user download and execute the exe and the virus changes
> the sysconst.dcu. Apparently the file must be writable by the user and
> fit the Delphi version.

As I understood it, it modified the .pas file, and placed the modified file
in the LIB directory (where the .dcu is located), thus causing the file to
be recompiled and included every time one compiles a program.
The Delphi version was irrelevant.

> Does the lazarus windows installer install writable ppus?

AFAIK, it must, otherwise Lazarus cannot be recompiled ?

In each case, if it works on the source level, there is nothing to be done.

Clever trick, however you look at it :-)


More information about the Lazarus mailing list