24/10/2014
16:26

New variants of virus of Autocad: ALS.PasDoc-Inf.A e ALS.Bursted.G


The CRAM (Anti-Malware Research Center of TG Soft) team has found a double infection of viral code of Autocad.

ALS.PasDoc-Inf.A

The virus ALS.PasDoc-Inf.A spreads via file .DWG of Autocad, which have inside the same folder a file called acaddoc.lsp.

When will open a file .DWG,  Autocad will go to run a script inside the file acaddoc.lsp

The viral code script of ALS.PasDoc-Inf.A will infect all files .MNL and .LSP of Autocad, e.g. acad.mnl.

The virus gets the path of file "acad.mnl" and will infect all files .mnl contained appending the viral code of script.
Furthermore all files .lsp inside the subfolder "support" will be infected by ALS.PasDoc-Inf.A.

In this way, when will open a file .DWG, Autocad will load the "acad.mnl" file and will run the viral code contained, which will create the "acaddoc.lsp" file inside the same folder of project DWG of Autocad and will try to re-infect all files .mnl and .lsp of Autocad.

The spread of virus ALS.PasDoc-Inf.A occurs from user to user when is copied all the folder of project of Autocad with inside the file acaddoc.lsp and not only the single copy of the file .DWG.


ALS.Bursted.G

The virus ALS.Bursted.G spreads via file .DWG of Autocad, which have inside the same folder a file called acad.lsp.
When will open a file .DWG, Autocad will go to run a script inside the file acad.lsp

The viral code script gets the path of file "base.dcl", and will copy the file "acad.lsp" inside at this folder with the name "acadappp.lsp".

At this point the virus will open the "acadapp.lsp" file and will verify if it contain the text ";;;",
if it doesn't contain this text or the file doesn't exist then will create it and will write ";;;".

Now will open the "acad.mnl" file and will append:
(load "acadappp.lsp")
(princ)


In this way, when will open a file .DWG, Autocad will load the "acad.mnl" file, which will run the "acadappp.lsp" file.
The script inside "acadappp.lsp" file will copy itself with the name "acad.lsp" inside at the folder of project .DWG opened.

At the last will run the command "startapp" of Lisp to run the file:
\\FS1\SYS-\WORK\PLOTER\LFCPRXY1.EDD

The spread of virus ALS.Bursted.G occurs from user to user when is copied all the folder of project of Autocad with inside the file acad.lsp
and not only the single copy of the file .DWG.


Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center)
by TG Soft



Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: