ALS.PasDoc-Inf.A
The virus
ALS.PasDoc-Inf.A spreads via file .DWG of Autocad, which have inside the same folder a file called
acaddoc.lsp.
When will open a file .DWG, Autocad will go to run a script inside the file
acaddoc.lsp
The viral code script of
ALS.PasDoc-Inf.A will infect all files .MNL and .LSP of Autocad, e.g.
acad.mnl.
The virus gets the path of file "
acad.mnl" and will infect all files .mnl contained appending the viral code of script.
Furthermore all files .lsp inside the subfolder "
support" will be infected by
ALS.PasDoc-Inf.A.
In this way, when will open a file .DWG, Autocad will load the "
acad.mnl" file and will run the viral code contained, which will create the "
acaddoc.lsp" file inside the same folder of project DWG of Autocad and will try to re-infect all files .mnl and .lsp of Autocad.
The spread of virus
ALS.PasDoc-Inf.A occurs from user to user when is copied all the folder of project of Autocad with inside the file
acaddoc.lsp and not only the single copy of the file .DWG.
ALS.Bursted.G
The virus
ALS.Bursted.G spreads via file .DWG of Autocad, which have inside the same folder a file called
acad.lsp.
When will open a file .DWG, Autocad will go to run a script inside the file
acad.lsp
The viral code script gets the path of file "
base.dcl", and will copy the file "
acad.lsp" inside at this folder with the name "
acadappp.lsp".
At this point the virus will open the "
acadapp.lsp" file and will verify if it contain the text "
;;;",
if it doesn't contain this text or the file doesn't exist then will create it and will write "
;;;".
Now will open the "
acad.mnl" file and will append:
(load "acadappp.lsp")
(princ)
In this way, when will open a file .DWG, Autocad will load the "
acad.mnl" file, which will run the "
acadappp.lsp" file.
The script inside "
acadappp.lsp" file will copy itself with the name "
acad.lsp" inside at the folder of project .DWG opened.
At the last will run the command "
startapp" of Lisp to run the file:
\\FS1\SYS-\WORK\PLOTER\LFCPRXY1.EDD
The spread of virus
ALS.Bursted.G occurs from user to user when is copied all the folder of project of Autocad with inside the file
acad.lsp
and not only the single copy of the file .DWG.
Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft