This virus spreads by infecting the systems running with a Delphi development environment. When the virus is executed it will first check if Delphi (version 4 through 7) is installed on the computer by trying to open the following registry key:
If found, it will get the Delphi installation folder from the same registry key. Next it will copy
and add its malicious code in the implementation section of this copy.
This file will be then compiled, resulting an infected sysconst.dcu (Delphi compiled unit) but not before making a copy of the once clean sysconst.dcu file under sysconst.bak. Then the copy of sysconst.pas will be deleted. As sysconst.dcu is included in each software compiled in Delphi, every program compiled with an infected Delphi will have the virus code embedded. The malware does nothing if Delphi is not installed.