Just cleaned this virus from a machine. It looks like the infection date was 4/10/2012, but the virus seems to be set to turn on after 9/9/2009, so maybe it's been around a while.
Anyway, the attached code was discovered embedded into the %userprofile%/AutoCAD/Support folder, at the end of Acad.mnl, and two other mnl files.
It appears to receive a streamp nil error on startup.
In terms of payload, it seems it attempts to redefine Wblock, SaveAs, Insert, and Pline. It does attempt to redefine the QSave command to erase all objects. But it seems the stream error occurs before the command redefinitions, so it never gets that far.
It also appears to be checking if the machine has a network adapter with a certain MAC address range.
Lastly, it's replication code looks for the string ";;;jjyy", which is what I would recommend we name it after.
Anyway, attached for you!
--J
Why are you posting this to a public newsgroup? Are you trying to spread it?
Is this newsgroup moderated anymore?
Well, being that I posted it as a Text file, it would take some effort for someone to execute it as a Lisp file.
I thought my post was pretty obvioulsy as an FYI, and by posted the text of the virus, administrators could know what to look for (since it is not detected by any virus scanner that we could ascertain).
--J
Hi,
Microsoft Forefront Endpoint Protection detected this inmediatly after download, it was identified as: Virus:Alisp/Bursted.BL.
Gaston Nunez