There is another AutoCAD virus out there similar to the bursted virus. We just found it so I don't have all the details yet. The only information I could find on the net so far is all in Chinese. I had someone translate the following page for me that seemed especially descriptive of what we have experienced:

http://www.newzj.com/newzj/discuss/message.asp?MessageID=108027

Google or Babelfish can translate it somewhat.

It looks like it creates files in your AutoCAD search paths like acad.fas and acad.sys (they will have their hidden attribute set) and also creates a file called dwgrun.bat or dwgrun.exe and puts an entry to it in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Other than propagating itself everywhere like bursted does, it also undefines the explode command and possibly the block, insert, and ddedit commands.

Does anyone have any more information about this?

I haven't experienced this myself (yet), but in the past I have commented here on AUGI about the troubling potential for this sort of thing made available to hackers through AutoCAD's ARX mechanism, which is a means for AutoCAD to run anybody's C++ code, as long as they can get their hands on the right development tools. I would guess, if those tools don't restrict it somehow, that such code could even include inline assembly code, as allowed by standard C++. The 2000-series releases also support VBA, providing an even easier path for MS-Word macro-style malware, although I think AutoCAD does put up a warning dialog when opening a file with VBA macros.

Under Windows 2000, AutoCAD also must be invoked by a "Super-User" (one level below Administrator) in order to run at all, though I'm not sure how this works under XP or Vista. This may or may not be relevant to hackers, who have been pretty good at circumventing whatever security Windows tries to provide.

Maybe Autodesk shouldn't have summarily ignored the many, many, suggestions/requests over the years to port their flagship product to Linux...

Michael Evans
Togawa Smith Martin Residential, Inc.

Even a simple DWG posted on the internet can contain code that can wreck havock on a system. All one would need to do would be to inocently drag/drop it in using the tool palettte. I also am surprised we haven't seen more malicious code directed at Autodesk's products.

If you can get to the Autocad command line, you pretty much have full control over a computer.

Here is an update on what we have found out so far:

We probably got the virus sent to us from a consultant (perhaps from China) who was sending us a folder full of dwg files for a project we are working on. Inside that folder was a file called acad.fas with its hidden attribute set (which the virus sets) so no one noticed it. Someone in our office probably double clicked on a dwg file in that folder to open it(which if they opened AutoCAD first to Drawing1 then the virus would not have been executed, see ACADLSPASDOC). AutoCAD then saw that there was an acad.fas file with the drawing as AutoCAD started so it ran it.

I don't know what is in that file exactly (unless someone knows how to decompile it), but some of the results of it running are:

-it will copy itself to folders in your AutoCAD search paths (which could be local or network drives)

-it also creates an acad.sys file in your search path locations

-it copies itself and the acad.sys file to your Windows folder (C:\Windows) and renames itself to winfas.ini and renames acad.sys to winsys.ini.

-it will create a file called dwgrun.bat in your Windows system folder (C:\Windows\System32 or C:\Windows\SysWOW64). This file has instructions to copy winfas.ini and winsys.ini to one of your search path locations and renames them to acad.fas and acad.sys respectively with the hidden attribute set.

-it creates a registry entry called dwgrun that calls the dwgrun.bat file in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

-it also undefines some commands like explode and perhaps block, insert, and ddedit (which are commands referred to in acad.sys though there is no code in acad.sys)


Like the ALS.BURSTED virus, it is taking advantage of AutoCAD's automatic loading and running of the acad.lsp file. Although not documented anywhere I can find, AutoCAD will treat acad.fas and acad.vlx the same as acad.lsp.

We have successfully gotten rid of the virus and protected ourselves against it and others like it by using the acad200x.lsp file. Why that file? See:

http://usa.autodesk.com/adsk/servlet/ps/item?siteID=123112&id=2875421&linkID=9240617

The acad200x.lsp file will run before acad.lsp, acad.fas, and acad.vlx so we put code there to delete these files from any path AutoCAD can see upon startup so that they never have a chance to run. This also means we do not use acad.lsp for ourselves and have ACADLSPASDOC set to 0.

Here is some information about AutoCAD's file load order that could be helpful in dealing with viruses of this nature:

Using Microsoft's FileMon, here is the load order of support files when AutoCAD starts up with the top being the first thing that runs/loads:

ACAD.EXE
acad
acad.cui
acad.mnr
custom.cui
custom.mnr
custom.dll
custom.mnl
acimpression.cui
acimpression.mnr
acimpression.dll
acimpression.mnl
acetmain.cui
acetmain.mnr
acetmain.dll
acetmain.mnl
acad.pgp
acad.dwt
acad.fmp
simplex.shx
txt.shx
acad2008.VLX
acad2008.FAS
acad2008.LSP
acad.VLX
acad.FAS
acad.LSP
acad2008doc.VLX
acad2008doc.FAS
acad2008doc.LSP
acaddoc.VLX
acaddoc.FAS
acaddoc.LSP
acad.mnl
acettest.fas
Appload.arx (and all arx files found in appload)
AecArchBase.dbx (and all AEC dbx files)
AcInfoCenterConn.DLL
AcWipeoutObj17.dbx
WSCommCntrAcCon.arx
acad.rx
acad.dbx
acetloc.VLX
acetloc.FAS
acetloc.LSP
scriptproinit.VLX
scriptproinit.FAS
scriptproinit.LSP
acetutil.fas
acetauto
acetauto.lsp
acetauto.VLX
acetauto.FAS
acetdockc.arx
acad.mnl.FAS
acetmain.mnl.FAS
ACAD.EXE

I also am surprised we haven't seen more malicious code directed at Autodesk's products.

I was too. It was explained to me that the people who create and distribute viruses are gearing towards a group of millions with hopes that their code will affect thousands of non-suspecting people. Autodesk has only so many customers AND the program itself isn't integrated into Windows/Mac products as well as MS Office.

We have successfully gotten rid of the virus and protected ourselves against it and others like it by using the acad200x.lsp file. Why that file? See:

.

would you mind sharing this file?

thanks

would you mind sharing this file?

thanks


... We have successfully gotten rid of the virus and protected ourselves against it and others like it by using the acad200x.lsp file. Why that file? See:

http://usa.autodesk.com/adsk/servlet/ps/item?siteID=123112&id=2875421&linkID=9240617I think you will get better info from this blog post (http://autodesk.blogs.com/between_the_lines/2009/08/malicious-code-alert-acadvlx-and-solution.html).

thank you !!