A new threat targeting Borland Delphi Compilers is fast becoming a global concern, as we have been receiving reports of increased infection incidents. The file infector, detected by Trend Micro as PE_INDUC.A, tampers with Borland Delphi Compilers installed in targeted systems, causing all files compiled using the compromised Delphi compiler to be infected. Borland Delphi Compiler is a tool used to compile several popular enterprise database and desktop applications.
Upon execution, the malware checks if a Borland Delphi Compiler is installed on the system by checking a certain registry entry. Once the existence of the said compiler on the system is confirmed, it modifies the file SysConst.pas, by appending code. Through this routine, it compiles a new copy of the file SysConst.dcu which is detected by Trend Micro as TROJ_INDUC.AA. It then renames the original SysConst.dcu to SysConst.bak and deletes the modified SysConst.pas.
Once done, all files compiled using the affected Delphi compiler are also infected. This puts other users at risk of getting affected by the same malware: if they happen to run a Delphi program that was compiled using a tampered Borland Delphi Compiler, then their own Borland Delphi Compiler will be tampered with as well.
As of this time, there is no known payload for this malware except for infecting the compiled files.
Trend Micro Japan threat analysts have written an entry on this threat here. We will be updating this entry as more information comes in.
Share this article