AutoCAD virus found

honkinberry · ‎04-25-2012

Just cleaned this virus from a machine. It looks like the infection date was 4/10/2012, but the virus seems to be set to turn on after 9/9/2009, so maybe it's been around a while.

Anyway, the attached code was discovered embedded into the %userprofile%/AutoCAD/Support folder, at the end of Acad.mnl, and two other mnl files.

It appears to receive a streamp nil error on startup.

In terms of payload, it seems it attempts to redefine Wblock, SaveAs, Insert, and Pline. It does attempt to redefine the QSave command to erase all objects. But it seems the stream error occurs before the command redefinitions, so it never gets that far.

It also appears to be checking if the machine has a network adapter with a certain MAC address range.

Lastly, it's replication code looks for the string ";;;jjyy", which is what I would recommend we name it after.

Anyway, attached for you!

--J

dbroad · ‎04-26-2012

Why are you posting this to a public newsgroup? Are you trying to spread it?

Is this newsgroup moderated anymore?

Architect, Registered NC, VA, SC, & GA.

honkinberry · ‎04-26-2012

Well, being that I posted it as a Text file, it would take some effort for someone to execute it as a Lisp file.

I thought my post was pretty obvioulsy as an FYI, and by posted the text of the virus, administrators could know what to look for (since it is not detected by any virus scanner that we could ascertain).

--J

hgasty1001 · ‎04-26-2012

Hi,

Microsoft Forefront Endpoint Protection detected this inmediatly after download, it was identified as: Virus:Alisp/Bursted.BL.

Gaston Nunez

AutoCAD virus found

AutoCAD virus found

Forums Links

Post to forums