TheSwamp
CAD Forums => CAD General => Topic started by: Big G on March 10, 2011, 12:24:51 AM
-
We have 'apparently' been infected by an errant lisp file that seems to keep replicating itself all over the server and is causing users to have a whole tonne of trouble, crashes (more than usual), corrupted profiles, loss of printers.....was wondering if anyone has seen it before....
It re-writes the acad.mnl file and puts it into the directory where u just opened the drawing from.
wouldnt advise trying it..but hoping someone might be able to shed some light on whats its actually trying to do?
[Just as a side thought, not sure if its a good idea to post the whole file - so if mods want to remove some of it go ahead]
<edit: CAB - code removed for evaluation>
-
Not sure it is a VIRUS code:
Not wraped in a defun so it runs when loaded.
Deletes the following files:
"acad.fas"
"lcm.fas"
"acad.lsp"
Then Opens "acaddoc.lsp"
read the 4th line
Not sure why because mine doesn't have a 4th line
(setq ab (atoi (substr wz 4 1)))
Does the same thing with the "acad.mnl" file
It compares the numbers extracted from both files
and is one is larger it then it reads "acaddoc.lsp" & over writes to "acad.mnl"
Then if the drive letter in the path is C,D,E,or F it reads "acad.mnl" & over writes to "acaddoc.lsp"
ELSE it deletes "acaddoc.lsp"
-
Cheers CAB, i couldnt figure out what it done, but it seems to keep appearing in the job files, and we cant seem to get rid of it at the minute....
specially when theres fas files in the customisation......
-
I did get this when Windows 7 detected the file:
So there may be more to the story.
We will look closer at the code in the morning.
-
Gordo,
What is the filename of the file,
and where does it reside ?
-
Kerry, its been the acad.mnl and the acaddoc.lsp files...it seems to create an acaddoc.lsp file in the job folder, which then in turn is being read instead of the search paths and then overwrites the acad mnl file......wash rinse and repeat......
-
Yes, I understand the wash-repeat ..
The process must have been initialised ..
Can you do a search of your system for the TextString
(setq woldacad (strcat dpath
added:
OR
Where was the file that you posted
and what was it named ?
-
Unfortunately this is the price of activeX lisp.
-
Unfortunately this is the price of activeX lisp.
I don't see that it has anything to do with ActiveX as such.
.. care to explain ?
-
http://vil.nai.com/vil/content/v_100887.htm
Characteristics
"ALS/Bursted" is a worm written in the AutoCAD AutoLisp scripting language. It may propagate via removable drives or mapped drives. Also, it is designed to download malicious files from websites controlled by the malware author.
It takes advantage of the automated loading of FAS files in AutoCAD to start itself.
It copies itself into the following locations:
•%Windir%\DivX.fin
•%ProgramFiles%\AutoCAD\Fonts\isohztxt.shx
Once the system is compromised, it looks for folders that contain .dwg files and it spreads simply by placing the malicious file (acad.fas) in a directory with the DWG files.
The following registry key has been added to the system:
•HKEY_CURRENT_USER\SOFTWARE\FileKen\settings
The worm may connects to the following website to download malicious file from the remote server.
•http://www.cad[removed].com/z/bkd.gif
It allows the attacker to take complete control over the system and performs the backdoor activity by sending the ICMP ping message to the following ip address.
•"update[removed]800.org"
Symptoms -
•Presence of the above mentioned behavior
-
NOTE : This proposed process is suggested without full knowledge of the process and may need to be changed as further information becomes available.
Without having full information :....
Search your system for the file ..\Fonts\isohztxt.shx
Isolate it if found
Search your system for the file ..\DivX.fin
Isolate it if found
Search your system for the file ..\acadapq.VLX, ,FAS, .LSP
Isolate them if found
Search your system for the file ..\acad.fas, acad.vlx
Isolate it if found
Search your system for the file ..\lcm.fas
Isolate it if found
Check the registry for HKEY_CURRENT_USER\SOFTWARE\FileKen\settings
Perhaps this should be deleted ... I'm not sure.
Searchfor and backup a GOOD copy of acad.lsp, acaddoc.lsp and acad.mnl
Probably C:\Program Files\Autodesk\ACADM 2011\UserDataCache\Support or similar
Search your system for all instances of acad.lsp, acaddoc.lsp and acad.mnl
If the files are bogus, delete them.
This will be a tedious process because the files may be scattered anywhere you have saved drawings
... and may even be backed up with your daily backups.
Restore good copies of acad.lsp, acaddoc.lsp and acad.mnl to you default location.
Cross your fingers and start AutoCAD.
NOTE : This proposed process is suggested without full knowledge of the process and may need to be changed as further information becomes available.
-
Afterthought :
Check that the StartUp Suite ONLY contains files you recognise.
:)
I'd add a custom message to (at least) the ACAD.MNL file
Something like :
(prompt "\n Loaded xxxxxxxx.mnl [If this message is missing, PANIC :) ] ")
(princ)
-
Instructions for removing the ACAD.VLX virus (for anyone interested) as recommended by AutoDesk can be found here.
http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=13717811&linkID=9240617
-
Thanks Kyle.
I thought I'd seen something about a variant of this virus ... couldn't recall where :)
-
Unfortunately this is the price of activeX lisp.
I don't see that it has anything to do with ActiveX as such.
.. care to explain ?
It is established fact that activeX components pose a huge security risk for folks who allow it to run. In fact, when VLisp was first introduced, there was widespread fear that this would allow for the propogation of virii through the sharing of VLisp code.
While for the most part it hasn't panned out, lisp has definitely become a means by which virii can be transmitted. When you add the additional complexities of having compiled code in vlx and fas files, you can readily see the problem ... or at least I can see it.
Incidently, before I came across this post, the attachment had already been removed, thus I don't have the code to examine, but from the sounds of it, it was indeed VLX and/or FAS compiled code.
Personally, I'd be interested in obtaining a copy of the file to see exactly what it does and what makes it tick.
-
Unfortunately this is the price of activeX lisp.
I don't see that it has anything to do with ActiveX as such.
.. care to explain ?
It is established fact that activeX components pose a huge security risk for folks who allow it to run. In fact, when VLisp was first introduced, there was widespread fear that this would allow for the propogation of virii through the sharing of VLisp code.
While for the most part it hasn't panned out, lisp has definitely become a means by which virii can be transmitted. When you add the additional complexities of having compiled code in vlx and fas files, you can readily see the problem ... or at least I can see it.
Incidently, before I came across this post, the attachment had already been removed, thus I don't have the code to examine, but from the sounds of it, it was indeed VLX and/or FAS compiled code.
Personally, I'd be interested in obtaining a copy of the file to see exactly what it does and what makes it tick.
Keith,
I'll agree that there are risks installing and loading ANY compiled code from unknown sources but I don't agree that ActiveX Lisp code is at fault. ...
-
My point was, that without ActiveX, especially in compiled code, a lisp virus has almost no chance of self-propagation.
-
So, are you advocating the use of ActiveX in VB, VBA, .NET but not in VisualLisp ?
I'm sorry, I don't get your point.
BTW, writing this form of virus without ActiveX is possible.
-
This isn't VB, VBA or .NET - besides, those languages have been widely recognized as potentially harmful - that potential harm becomes apparent in a common text file lisp with the introduction of ActiveX methods.
BTW, writing this form of virus without ActiveX is possible.
Agreed - but you would be hard pressed to write any common type of trojan or virus in lisp without some ActiveX.
... and you can also write a pretty dangerous virus in a batch file too. That doesn't mean I don't advocate using batch files .. I know they can be dangerous so I proceed with caution at every turn ... once upon a time LISP didn't have this concern - the most it could do was damage the startup of AutoCAD ... now we can write entire binaries and execute them on the fly.
-
BUT, since we use the LT version of AutoCAD and it doesn't use Lisps, is it safe to assume we can't be affected by this?
craigr
-
Old discussion, i know. I can't find any recent messages or post about security issues. My question is : How can a user be sure a .vlx is free from malware? Are there any methods or virus scan?
-
Knowing the source is usually your best protection. Unless you want to install a sandbox and test it out.