Results 1 to 9 of 9

Thread: dwgrun Virus using acad.fas

  1. #1
    Member steven.88041's Avatar
    Join Date
    2005-05
    Posts
    32
    Login to Give a bone
    0

    Default dwgrun Virus using acad.fas

    There is another AutoCAD virus out there similar to the bursted virus. We just found it so I don't have all the details yet. The only information I could find on the net so far is all in Chinese. I had someone translate the following page for me that seemed especially descriptive of what we have experienced:

    http://www.newzj.com/newzj/discuss/m...ssageID=108027

    Google or Babelfish can translate it somewhat.

    It looks like it creates files in your AutoCAD search paths like acad.fas and acad.sys (they will have their hidden attribute set) and also creates a file called dwgrun.bat or dwgrun.exe and puts an entry to it in:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Other than propagating itself everywhere like bursted does, it also undefines the explode command and possibly the block, insert, and ddedit commands.

    Does anyone have any more information about this?

  2. #2
    I could stop if I wanted to michael.12445's Avatar
    Join Date
    2001-03
    Posts
    350
    Login to Give a bone
    0

    Default Re: dwgrun Virus using acad.fas

    I haven't experienced this myself (yet), but in the past I have commented here on AUGI about the troubling potential for this sort of thing made available to hackers through AutoCAD's ARX mechanism, which is a means for AutoCAD to run anybody's C++ code, as long as they can get their hands on the right development tools. I would guess, if those tools don't restrict it somehow, that such code could even include inline assembly code, as allowed by standard C++. The 2000-series releases also support VBA, providing an even easier path for MS-Word macro-style malware, although I think AutoCAD does put up a warning dialog when opening a file with VBA macros.

    Under Windows 2000, AutoCAD also must be invoked by a "Super-User" (one level below Administrator) in order to run at all, though I'm not sure how this works under XP or Vista. This may or may not be relevant to hackers, who have been pretty good at circumventing whatever security Windows tries to provide.

    Maybe Autodesk shouldn't have summarily ignored the many, many, suggestions/requests over the years to port their flagship product to Linux...

    Michael Evans
    Togawa Smith Martin Residential, Inc.

  3. #3
    Revit Mararishi aaronrumple's Avatar
    Join Date
    2002-02
    Location
    St. Louis, MO
    Posts
    4,695
    Login to Give a bone
    0

    Default Re: dwgrun Virus using acad.fas

    Even a simple DWG posted on the internet can contain code that can wreck havock on a system. All one would need to do would be to inocently drag/drop it in using the tool palettte. I also am surprised we haven't seen more malicious code directed at Autodesk's products.

    If you can get to the Autocad command line, you pretty much have full control over a computer.
    Don't drink the Kool-Aid...
    Aaron Rumple, AIA

  4. #4
    Member steven.88041's Avatar
    Join Date
    2005-05
    Posts
    32
    Login to Give a bone
    0

    Default Re: dwgrun Virus using acad.fas

    Here is an update on what we have found out so far:

    We probably got the virus sent to us from a consultant (perhaps from China) who was sending us a folder full of dwg files for a project we are working on. Inside that folder was a file called acad.fas with its hidden attribute set (which the virus sets) so no one noticed it. Someone in our office probably double clicked on a dwg file in that folder to open it(which if they opened AutoCAD first to Drawing1 then the virus would not have been executed, see ACADLSPASDOC). AutoCAD then saw that there was an acad.fas file with the drawing as AutoCAD started so it ran it.

    I don't know what is in that file exactly (unless someone knows how to decompile it), but some of the results of it running are:

    -it will copy itself to folders in your AutoCAD search paths (which could be local or network drives)

    -it also creates an acad.sys file in your search path locations

    -it copies itself and the acad.sys file to your Windows folder (C:\Windows) and renames itself to winfas.ini and renames acad.sys to winsys.ini.

    -it will create a file called dwgrun.bat in your Windows system folder (C:\Windows\System32 or C:\Windows\SysWOW64). This file has instructions to copy winfas.ini and winsys.ini to one of your search path locations and renames them to acad.fas and acad.sys respectively with the hidden attribute set.

    -it creates a registry entry called dwgrun that calls the dwgrun.bat file in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    -it also undefines some commands like explode and perhaps block, insert, and ddedit (which are commands referred to in acad.sys though there is no code in acad.sys)


    Like the ALS.BURSTED virus, it is taking advantage of AutoCAD's automatic loading and running of the acad.lsp file. Although not documented anywhere I can find, AutoCAD will treat acad.fas and acad.vlx the same as acad.lsp.

    We have successfully gotten rid of the virus and protected ourselves against it and others like it by using the acad200x.lsp file. Why that file? See:

    http://usa.autodesk.com/adsk/servlet...linkID=9240617

    The acad200x.lsp file will run before acad.lsp, acad.fas, and acad.vlx so we put code there to delete these files from any path AutoCAD can see upon startup so that they never have a chance to run. This also means we do not use acad.lsp for ourselves and have ACADLSPASDOC set to 0.

  5. #5
    Member steven.88041's Avatar
    Join Date
    2005-05
    Posts
    32
    Login to Give a bone
    0

    Default Re: dwgrun Virus using acad.fas

    Here is some information about AutoCAD's file load order that could be helpful in dealing with viruses of this nature:

    Using Microsoft's FileMon, here is the load order of support files when AutoCAD starts up with the top being the first thing that runs/loads:

    ACAD.EXE
    acad
    acad.cui
    acad.mnr
    custom.cui
    custom.mnr
    custom.dll
    custom.mnl
    acimpression.cui
    acimpression.mnr
    acimpression.dll
    acimpression.mnl
    acetmain.cui
    acetmain.mnr
    acetmain.dll
    acetmain.mnl
    acad.pgp
    acad.dwt
    acad.fmp
    simplex.shx
    txt.shx
    acad2008.VLX
    acad2008.FAS
    acad2008.LSP
    acad.VLX
    acad.FAS
    acad.LSP
    acad2008doc.VLX
    acad2008doc.FAS
    acad2008doc.LSP
    acaddoc.VLX
    acaddoc.FAS
    acaddoc.LSP
    acad.mnl
    acettest.fas
    Appload.arx (and all arx files found in appload)
    AecArchBase.dbx (and all AEC dbx files)
    AcInfoCenterConn.DLL
    AcWipeoutObj17.dbx
    WSCommCntrAcCon.arx
    acad.rx
    acad.dbx
    acetloc.VLX
    acetloc.FAS
    acetloc.LSP
    scriptproinit.VLX
    scriptproinit.FAS
    scriptproinit.LSP
    acetutil.fas
    acetauto
    acetauto.lsp
    acetauto.VLX
    acetauto.FAS
    acetdockc.arx
    acad.mnl.FAS
    acetmain.mnl.FAS
    ACAD.EXE

  6. #6
    100 Club
    Join Date
    2002-06
    Location
    Winnipeg, Manitoba, Canada
    Posts
    107
    Login to Give a bone
    0

    Default Re: dwgrun Virus using acad.fas

    Quote Originally Posted by aaronrumple View Post
    I also am surprised we haven't seen more malicious code directed at Autodesk's products.
    I was too. It was explained to me that the people who create and distribute viruses are gearing towards a group of millions with hopes that their code will affect thousands of non-suspecting people. Autodesk has only so many customers AND the program itself isn't integrated into Windows/Mac products as well as MS Office.

  7. #7
    Member m.augi's Avatar
    Join Date
    2005-09
    Location
    Cincinnati, OH
    Posts
    32
    Login to Give a bone
    0

    Default Re: dwgrun Virus using acad.fas

    Quote Originally Posted by steven.88041 View Post
    We have successfully gotten rid of the virus and protected ourselves against it and others like it by using the acad200x.lsp file. Why that file? See:

    .
    would you mind sharing this file?

    thanks

  8. #8
    The Silent Type RobertB's Avatar
    Join Date
    2000-01
    Location
    Seattle WA USA
    Posts
    5,859
    Login to Give a bone
    0

    Exclamation Re: dwgrun Virus using acad.fas

    Quote Originally Posted by m.augi View Post
    would you mind sharing this file?

    thanks
    Quote Originally Posted by steven.88041 View Post
    ... We have successfully gotten rid of the virus and protected ourselves against it and others like it by using the acad200x.lsp file. Why that file? See:

    http://usa.autodesk.com/adsk/servlet...linkID=9240617
    I think you will get better info from this blog post.
    R. Robert Bell
    Design Technology Manager
    Stantec
    Opinions expressed are mine alone and do not reflect the views of Stantec.

  9. #9
    Member m.augi's Avatar
    Join Date
    2005-09
    Location
    Cincinnati, OH
    Posts
    32
    Login to Give a bone
    0

    Default Re: dwgrun Virus using acad.fas

    thank you !!

Similar Threads

  1. Is this a virus?
    By mivankovic971349 in forum AutoLISP
    Replies: 2
    Last Post: 2014-01-11, 04:47 PM
  2. 2009: CAD Virus?
    By fjtdogeno in forum AutoCAD General
    Replies: 19
    Last Post: 2012-04-04, 01:14 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •