The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Jul 17 2008 11:55 GMT
Released Jul 17 2008 17:11 GMT
Published Sep 12 2011 07:33 GMT

Technical Details
Removal instructions

Technical Details

A trojan program that infects the AutoCAD file on the user's computer. Written in AutoLISP language, an internal AutoCAD language. 3262 bytes.


The malicious script is written in standard AutoCAD scripts that are launched each time the application is started.

It looks for the directory where the file named "acad.exe" is located. If the directory is found, it looks for the sub-directory named "support" and infects all of the files with the "lsp" extension by adding its body. It adds a file named "acaddoc.lsp" to the list of files to be infected:

<directory containing the file "acad.exe">\support\*.lsp
<directory containing the file "acad.exe">\support\acaddoc.lsp
The virus determines the path to the directory from which it opens the current scheme (if the scheme was opened and not created) and adds its body in the file named "acaddoc.lsp":
<current scheme directory>\acaddoc.lsp
The virus also looks for the directory where the file named "acad.mnl" is located and infects all of the files with the "mnl" extension, again adding its body:
<directory containing the file "acad.mnl">\*.mnl
The virus runs the commands to open the "acad.lsp" file when creating or opening each scheme and to enable the single-window AutoCAD mode. It also prevents the following commands from running:
(line – constructs line segments; xref - manages internal links; explode - breaks up composite objects).

Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Shuts down AutoCAD.
  2. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

    md5: 470170EA8BD67280E0BF12780088A5A1 sha1: BECFB104920B45DBB73819F14CF3A0885AABFA6E

Bookmark and Share

Viruses replicate on the resources of the local machine.

Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example:

  • when infecting accessible disks, a virus penetrates a file located on a network resource
  • a virus copies itself to a removable storage device or infects a file on a removable device
  • a user sends an email with an infected attachment.


Virus.Acad.Pasdoc.i (Kaspersky Lab) is also known as:

  • Virus.ALS.Pasdoc.a (Kaspersky Lab)
  • Virus.Acad.Pasdoc.a (Kaspersky Lab)
  • Virus: ALS/Bursted (McAfee)
  • AL/Billy-A (Sophos)
  • Worm.ACAD.Bursted-2 (ClamAV)
  • ACAD/Bursted.I (Panda)
  • Virus:ALisp/Passdoc.A (MS(OneCare))
  • ACAD.Pasdoc.2 (DrWeb)
  • Trojan.Script.29327 (BitDef7)
  • ALS:Pasdoc-B (AVAST)
  • Virus.ALS.Pasdoc (Ikarus)
  • ACAD/Bursted.B (AVG)
  • ACAD/Bursted.B.1 (AVIRA)
  • ALS.Bursted.B (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.Script.Lisp.ACAD.dk (Rising)