Author Topic: CAD Virus?  (Read 5608 times)

0 Members and 1 Guest are viewing this topic.

Big G

  • Bull Frog
  • Posts: 415
CAD Virus?
« on: March 10, 2011, 12:24:51 am »
We have 'apparently' been infected by an errant lisp file that seems to keep replicating itself all over the server and is causing users to have a whole tonne of trouble, crashes (more than usual), corrupted profiles, loss of printers.....was wondering if anyone has seen it before....

It re-writes the acad.mnl file and puts it into the directory where u just opened the drawing from.

wouldnt advise trying it..but hoping someone might be able to shed some light on whats its actually trying to do?

[Just as a side thought, not sure if its a good idea to post the whole file - so if mods want to remove some of it go ahead]

<edit: CAB - code removed for evaluation>
« Last Edit: March 10, 2011, 12:39:08 am by CAB »
I thought i seen the light at the end of the tunnel. But it was just someone with a torch bringing me more work.
"You have to accept that somedays youre the pigeon and  somedays youre the statue"

CAB

  • Global Moderator
  • Seagull
  • Posts: 10198
Re: CAD Virus?
« Reply #1 on: March 10, 2011, 01:06:31 am »
Not sure it is a VIRUS code:

Not wraped in a defun so it runs when loaded.

Deletes the following files:
"acad.fas"
"lcm.fas"
"acad.lsp"

Then Opens "acaddoc.lsp"
read the 4th line
Not sure why because mine doesn't have a 4th line
(setq ab (atoi (substr wz 4 1)))
Does the same thing with the "acad.mnl" file

It compares the numbers extracted from both files
and is one is larger it then it reads "acaddoc.lsp" & over writes to "acad.mnl"

Then if the drive letter in the path is C,D,E,or F it reads "acad.mnl" & over writes to "acaddoc.lsp"
  ELSE it deletes "acaddoc.lsp"
I've reached the age where the happy hour is a nap. (°¿°)
Windows 10 core i7 4790k 4Ghz 32GB GTX 970
Please support this web site.

Big G

  • Bull Frog
  • Posts: 415
Re: CAD Virus?
« Reply #2 on: March 10, 2011, 01:15:34 am »
Cheers CAB, i couldnt figure out what it done, but it seems to keep appearing in the job files, and we cant seem to get rid of it at the minute....
specially when theres fas files in the customisation......
I thought i seen the light at the end of the tunnel. But it was just someone with a torch bringing me more work.
"You have to accept that somedays youre the pigeon and  somedays youre the statue"

CAB

  • Global Moderator
  • Seagull
  • Posts: 10198
Re: CAD Virus?
« Reply #3 on: March 10, 2011, 01:20:58 am »
I did get this when Windows 7 detected the file:
So there may be more to the story.
We will look closer at the code in the morning.

I've reached the age where the happy hour is a nap. (°¿°)
Windows 10 core i7 4790k 4Ghz 32GB GTX 970
Please support this web site.

Kerry

  • Mesozoic relic
  • Seagull
  • Posts: 11653
  • class keyThumper<T>:ILazy<T>
Re: CAD Virus?
« Reply #4 on: March 10, 2011, 01:24:08 am »
Gordo,
What is the filename of the file,
and where does it reside ?

Perfection is not optional.
Everything will work just as you expect it to, unless your expectations are incorrect.
Discipline: None at all.

--> Donate to theSwamp<--

Big G

  • Bull Frog
  • Posts: 415
Re: CAD Virus?
« Reply #5 on: March 10, 2011, 01:51:35 am »
Kerry, its been the acad.mnl and the acaddoc.lsp files...it seems to create an acaddoc.lsp file in the job folder, which then in turn is being read instead of the search paths and then overwrites the acad mnl file......wash rinse and repeat......

I thought i seen the light at the end of the tunnel. But it was just someone with a torch bringing me more work.
"You have to accept that somedays youre the pigeon and  somedays youre the statue"

Kerry

  • Mesozoic relic
  • Seagull
  • Posts: 11653
  • class keyThumper<T>:ILazy<T>
Re: CAD Virus?
« Reply #6 on: March 10, 2011, 02:00:10 am »
Yes, I understand the wash-repeat ..

The process must have been initialised ..

Can you do a search of your system  for the TextString
(setq woldacad (strcat dpath

added:
OR
Where was the file that you posted
 and what was it named ?

« Last Edit: March 10, 2011, 02:07:56 am by Kerry »
Perfection is not optional.
Everything will work just as you expect it to, unless your expectations are incorrect.
Discipline: None at all.

--> Donate to theSwamp<--

Keith™

  • Villiage Idiot
  • Seagull
  • Posts: 16614
  • Superior Stupidity at its best
Re: CAD Virus?
« Reply #7 on: March 10, 2011, 02:10:02 am »
Unfortunately this is the price of activeX lisp.
Proud provider of opinion and arrogance since November 22, 2003 at 09:35:31 am
CadJockey Militia Field Marshal

Kerry

  • Mesozoic relic
  • Seagull
  • Posts: 11653
  • class keyThumper<T>:ILazy<T>
Re: CAD Virus?
« Reply #8 on: March 10, 2011, 02:15:12 am »
Unfortunately this is the price of activeX lisp.

I don't see that it has anything to do with ActiveX as such.
.. care to explain ?
Perfection is not optional.
Everything will work just as you expect it to, unless your expectations are incorrect.
Discipline: None at all.

--> Donate to theSwamp<--

Kerry

  • Mesozoic relic
  • Seagull
  • Posts: 11653
  • class keyThumper<T>:ILazy<T>
Re: CAD Virus?
« Reply #9 on: March 10, 2011, 02:36:58 am »

http://vil.nai.com/vil/content/v_100887.htm

Quote


Characteristics
 
"ALS/Bursted" is a worm written in the AutoCAD AutoLisp scripting language. It may propagate via removable drives or mapped drives. Also, it is designed to download malicious files from websites controlled by the malware author.
 
It takes advantage of the automated loading of FAS files in AutoCAD to start itself.

It copies itself into the following locations:
•%Windir%\DivX.fin
•%ProgramFiles%\AutoCAD\Fonts\isohztxt.shx

 
Once the system is compromised, it looks for folders that contain .dwg files and it spreads simply by placing the malicious file (acad.fas) in a directory with the DWG files.
 
The following registry key has been added to the system:
 •HKEY_CURRENT_USER\SOFTWARE\FileKen\settings
 
The worm may connects to the following website to download malicious file from the remote server.
 •http://www.cad[removed].com/z/bkd.gif

It allows the attacker to take complete control over the system and performs the backdoor activity by sending the ICMP ping message to the following ip address.
 •"update[removed]800.org"
 
Symptoms -
•Presence of the above mentioned behavior

Perfection is not optional.
Everything will work just as you expect it to, unless your expectations are incorrect.
Discipline: None at all.

--> Donate to theSwamp<--

Kerry

  • Mesozoic relic
  • Seagull
  • Posts: 11653
  • class keyThumper<T>:ILazy<T>
Re: CAD Virus?
« Reply #10 on: March 10, 2011, 04:31:22 am »
NOTE : This proposed process is suggested without full knowledge of the process and may need to be changed as further information becomes available.
Without having full information :....

Search your system for the file  ..\Fonts\isohztxt.shx
  Isolate it if found
 
Search your system for the file ..\DivX.fin
  Isolate it if found

Search your system for the file ..\acadapq.VLX, ,FAS, .LSP
  Isolate them if found

Search your system for the file ..\acad.fas, acad.vlx
  Isolate it if found
 
Search your system for the file ..\lcm.fas
  Isolate it if found
 
Check the registry for HKEY_CURRENT_USER\SOFTWARE\FileKen\settings
  Perhaps this should be deleted ... I'm not sure.
 
 
Searchfor and backup a GOOD copy of acad.lsp, acaddoc.lsp and acad.mnl
 Probably C:\Program Files\Autodesk\ACADM 2011\UserDataCache\Support or similar
 
Search your system for all instances of  acad.lsp, acaddoc.lsp and acad.mnl
    If the files are bogus, delete them.
  This will be a tedious process because the files may be scattered anywhere you have saved drawings
  ... and may even be backed up with your daily backups.

Restore good copies of acad.lsp, acaddoc.lsp and acad.mnl to you default location.

Cross your fingers and start AutoCAD.

NOTE : This proposed process is suggested without full knowledge of the process and may need to be changed as further information becomes available.
Perfection is not optional.
Everything will work just as you expect it to, unless your expectations are incorrect.
Discipline: None at all.

--> Donate to theSwamp<--

Kerry

  • Mesozoic relic
  • Seagull
  • Posts: 11653
  • class keyThumper<T>:ILazy<T>
Re: CAD Virus?
« Reply #11 on: March 10, 2011, 04:45:27 am »

Afterthought :
Check that the StartUp Suite ONLY contains files you recognise.

:)


I'd add a custom message to (at least) the ACAD.MNL file
Something like :
(prompt "\n Loaded xxxxxxxx.mnl [If this message is missing, PANIC :) ] ")
(princ)
Perfection is not optional.
Everything will work just as you expect it to, unless your expectations are incorrect.
Discipline: None at all.

--> Donate to theSwamp<--

Kyle Reese

  • Newt
  • Posts: 70
Re: CAD Virus?
« Reply #12 on: March 10, 2011, 06:02:36 am »
Instructions for removing the ACAD.VLX virus (for anyone interested) as recommended by AutoDesk can be found here.

http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=13717811&linkID=9240617
AutoCAD 2007 & 2009

Kerry

  • Mesozoic relic
  • Seagull
  • Posts: 11653
  • class keyThumper<T>:ILazy<T>
Re: CAD Virus?
« Reply #13 on: March 10, 2011, 06:08:38 am »
Thanks Kyle.

I thought I'd seen something about a variant of this virus ... couldn't recall where :)
Perfection is not optional.
Everything will work just as you expect it to, unless your expectations are incorrect.
Discipline: None at all.

--> Donate to theSwamp<--

Keith™

  • Villiage Idiot
  • Seagull
  • Posts: 16614
  • Superior Stupidity at its best
Re: CAD Virus?
« Reply #14 on: March 10, 2011, 11:36:39 am »
Unfortunately this is the price of activeX lisp.

I don't see that it has anything to do with ActiveX as such.
.. care to explain ?

It is established fact that activeX components pose a huge security risk for folks who allow it to run. In fact, when VLisp was first introduced, there was widespread fear that this would allow for the propogation of virii through the sharing of VLisp code.

While for the most part it hasn't panned out, lisp has definitely become a means by which virii can be transmitted. When you add the additional complexities of having compiled code in vlx and fas files, you can readily see the problem ... or at least I can see it.

Incidently, before I came across this post, the attachment had already been removed, thus I don't have the code to examine, but from the sounds of it, it was indeed VLX and/or FAS compiled code.

Personally, I'd be interested in obtaining a copy of the file to see exactly what it does and what makes it tick.
Proud provider of opinion and arrogance since November 22, 2003 at 09:35:31 am
CadJockey Militia Field Marshal