Jimmy Bergmark has reported a particularly unpleasant piece of malware, so please check it out. The Autodesk Knowledge Base item can be found here.
ACAD/Medre.A malware emails your drawings to the bad guys
4 Replies
Tag Archives: Malware
AutoCAD virus protection update
As I mentioned in my last post, I had some reservations about the code provided by Autodesk to deal with suspect acad.vlx and logo.gif files. Based on a suggestion from Jimmy Bergmark, I have written my own, safer version which you can download here: clean_virus_safe.lsp.
The comments at the top of the clean_virus_safe.lsp file explain what to do with it, but I will reproduce some of the relevant points here.
- Purpose: Checks for existence of acad.vlx and logo.gif files, which are associated with virus AL/Logo-A, also known as ACAD/Unexplode, ACAD/Agent.A or ACM_UNEXPLODE.B. Written as a safer alternative to Autodesk’s code which deletes suspect files without prior warning. This code renames the files instead.
- Legal: Provided as-is with no warranty whatsoever, use at own risk. May be distributed freely.
- Usage: Append the contents of this file into a startup LISP file (e.g. acaddoc.lsp in your search path – create such a file if it does not exist). Autodesk’s suggestion to modify the acad20xx.lsp file should not be followed: this is bad practice. The acad20xx.lsp file is Autodesk’s file and any modifications you make to it are likely to be lost when updates and patches are applied.
- Effects: Any and all files named acad.vlx and logo.gif and located in AutoCAD’s search path will be renamed, e.g. “acad.vlx” will become “[Suspected Virus] acad.vlx0”. The name will end in a number starting with 0. If other suspect files are later found in the same location, those files will be renamed to end with 1, 2, 3 and so on.
I don’t have a copy of the actual virus, and would like to get hold of one with a view to possibly improving this code. If you have a copy, I would be grateful if you could contact me so I can dissect it.
Another AutoCAD malware warning
Shaan Hurley has posted some useful information about another AutoCAD-based virus that is doing the rounds, and I strongly suggest you read it. However, I have some reservations about the solution that is posted there and in the Autodesk knowledgebase.
The LISP code suggested will delete any files called acad.vlx or logo.gif that are located in the current user’s current AutoCAD search path. There are a couple of problems with that.
- The search path will change depending on the user, the profile, the startup folder and the drawing folder. That means you can’t just use the code once and expect the problem to go away; the code will need to remain in place permanently to ensure it does not recur. That may not be a huge problem, although it will have a performance penalty (particularly where the search path is long and/or includes network paths) and it is one more thing to remember to carry over to future releases.
- More importantly, the code has no idea if the files it is deleting are legitimate or not. It is quite possible for a custom environment or third-party utility to make use of a file called acad.vlx, and there are all sorts of reasons you may have a logo.gif file floating around. The Autodesk code will just erase such files without prior warning, which is a bit naughty.
I commend Shaan and Autodesk for posting this information and proposed solution. However, I recommend caution before using this code as suggested. Check with your CAD Manager (if you have one) first to ensure there are no legitimate acad.vlx files in your environment. Do a search for these files yourself and see if there is a legitimate reason for them being where they are.
As with most malware attacks, taking care with incoming files is a very important part of the solution. Don’t just blindly use the contents of a zip file full of drawings, even from a trusted source. If somebody sends you a zip file containing an acad.vlx file, let the sender know about the problem and ask for an uninfected set of files.
AutoCAD malware warning
There is a piece of malware out there written as an ObjectARX application, i.e. it will only affect AutoCAD users. It’s a China-based adware client, which Andrew Brandt at the Webroot threat blog has named Trojan-Pigrig. For full details, see here. Also, see here for AutoCAD-specific advice from the AutoCAD support team at the Without a Net blog.