Robert Poston of Sophos Labs recommended in a blog post that anyone using Delphi software should make sure that their antivirus software can detect infections in the key Delphi system files that W32/Induc-A attacks.

For software developers, it could be a real problem, according to Michael St. Neitzel, Sunbelt Software vice president of threat research and technologies. "It's an open question whether or not the scanners can clean them. If they can't, the original developers are going to be required to get the infection out of their Delphi compilers, recompile the applications and get the clean code back to their customers," he said in a statement.

"Given there could be different versions of the infected applications in circulation, this is going to be a real nightmare for some companies to deal with," St. Neitzel added.

Some downplay the threat

Other antivirus vendors, such as Kaspersky Lab, also detected the virus but said that because it lacks a payload, it's not currently a danger -- yet.

"There is no destructive behavior apart from infection," Kaspersky said in a statement. "It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu [compiled Delphi] files by developers has already led to [W32/Induc-A] becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cybercriminals to make it more destructive."

The provider of Delphi, Embarcadero Technologies, downplayed the present threat. "Any language could have this attack propagated on them," said Mike Rozlog, senior director of Delphi Solutions for Embarcadero Technologies, in an e-mail to InternetNews.com. "This includes many existing languages today including native compiled, managed code, and also scripting languages."

"So all languages including C++, Java, Delphi, JavaScript, COBOL, C# and many others have this exposure," Rozlog said.

He added that the virus will not spread if developers take basic precautions. "It would be hard to believe that places that provide the ability to download software from their Web site would not have a procedure to check for viruses and malware before making it available. The same needs to be done in the standard corporate world to guard against such an attack -- it takes constant vigilance."

But it's possible that many application developers are not taking basic precautions. A recent report cast doubt on the security of enterprise development environments. As businesses work to secure personal information, they may be leaving other areas of IT vulnerable.