Specific Delphi virus

A Delphi-specific virus has appeared on the Internet. Its essence is that the infected program looks for the installed Delphi versions on the disk and, if it finds it, modifies the SysConst.dcu file (the old version is saved under the name SysConst.bak), and after that all Delphi programs compiled on this computer start exactly also infect Delphi on the computers where they run. The spread of the virus was facilitated by the fact that some versions of the popular QIP messenger were infected with it (the QIP development team apologizes for this). So far, the only harmful effect detected by the virus is that due to an error in its code when the infected program is launched, a Runtime error 3 occurs if the registry key is HKEY_LOCAL_MACHINE \ SOFTWARE \ Borland \ Delphi \ x. 0 (x - from 4 to 7) contains the incorrect value of the RootDir parameter (no error occurs for the correct value). Apparently, the technology of spreading the virus was simply running in.

Check your Delphi versions and if you find SysConst.bak, do the following:
1. Uninstall SysConst.dcu
2. Copy SysConst.bak to SysConst.dcu. It is important to copy, not rename, so that SysConst.bak also remains on the disk - this will save the system from reinfection.

Some details and discussion:
www.delphikingdom.com/asp/answer.asp?IDAnswer=70912
forum.qip.ru/showthread.php?t=36203
forum.qip.ru/showthread.php?t=35939

UPD: this topic it is not intended to flood QIP with mud, AIMP turned out to be infected, I suspect that many other programs. For those who are too lazy to follow the links - QIP developers rebuilt the assembly.