Here's an interesting move recently found being used by some malware targeting Delphi.
The malware first checks to see if the Delphi version is between 4 to 7, then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas and writes malicious code there. After this, SysConsts.pas is deleted.
The malware saves a clean copy of SysConsts.dcu as SysConst.bak and adds a call to its own init function at the entrypoint of the SysConsts.dcu library.
When a program is compiled with an infected version of SysConsts.dcu, it will have something like the malicious code snippet below:
Subsequently, whenever the compiled program is executed, if SysConst.bak is not found the malicious code in the program tries to re-infect Delphi.
In this case, the malware is basically just ensuring that Delphi stays infected. Still, it's another mechanism to spread malware around.
