Internet threat level: 1
Home→Descriptions→Virus.Acad.Pasdoc.i
Virus.Acad.Pasdoc.i
| Detected | Jul 17 2008 11:55 GMT |
| Released | Jul 17 2008 17:11 GMT |
| Published | Sep 12 2011 07:33 GMT |
Payload
Removal instructions
Technical Details
A trojan program that infects the AutoCAD file on the user's computer. Written in AutoLISP language, an internal AutoCAD language. 3262 bytes.
Payload
The malicious script is written in standard AutoCAD scripts that are launched each time the application is started.
It looks for the directory where the file named "acad.exe" is located. If the directory is found, it looks for the sub-directory named "support" and infects all of the files with the "lsp" extension by adding its body. It adds a file named "acaddoc.lsp" to the list of files to be infected:
<directory containing the file "acad.exe">\support\*.lsp <directory containing the file "acad.exe">\support\acaddoc.lspThe virus determines the path to the directory from which it opens the current scheme (if the scheme was opened and not created) and adds its body in the file named "acaddoc.lsp":
<current scheme directory>\acaddoc.lspThe virus also looks for the directory where the file named "acad.mnl" is located and infects all of the files with the "mnl" extension, again adding its body:
<directory containing the file "acad.mnl">\*.mnlThe virus runs the commands to open the "acad.lsp" file when creating or opening each scheme and to enable the single-window AutoCAD mode. It also prevents the following commands from running:
line _line xref _xref explode _explode(line – constructs line segments; xref - manages internal links; explode - breaks up composite objects).
Removal instructions
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Shuts down AutoCAD.
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
md5: 470170EA8BD67280E0BF12780088A5A1 sha1: BECFB104920B45DBB73819F14CF3A0885AABFA6E
Viruses replicate on the resources of the local machine.
Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example:
- when infecting accessible disks, a virus penetrates a file located on a network resource
- a virus copies itself to a removable storage device or infects a file on a removable device
- a user sends an email with an infected attachment.
Virus.
- Virus.
ALS. Pasdoc. a (Kaspersky Lab) - Virus.
Acad. Pasdoc. a (Kaspersky Lab) - Virus:
ALS/Bursted (McAfee) - AL/Billy-A (Sophos)
- Worm.
ACAD. Bursted-2 (ClamAV) - ACAD/Bursted.
I (Panda) - Virus:
ALisp/Passdoc. A (MS(OneCare)) - ACAD.
Pasdoc. 2 (DrWeb) - Trojan.
Script. 29327 (BitDef7) - ALS:
Pasdoc-B (AVAST) - Virus.
ALS. Pasdoc (Ikarus) - ACAD/Bursted.
B (AVG) - ACAD/Bursted.
B. 1 (AVIRA) - ALS.
Bursted. B (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Trojan.
Script. Lisp. ACAD. dk (Rising)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.