strang acad lsp generated with any dwg opened

hello

some one gave me autocad drawing with some extra files

when I open any cad dwg ,acad lsp file generated automaticly in many places this file changes system variable which I don,t wish

I erased all these files but in vain alwayes this file created and change system variable any help will be apreciated

I've seen this happen to a few people - its a nasty thing indeed.

Someone has written an ACAD.lsp file to change system variables and copy itself to various locations on your computer - do a search for all files called ACAD.lsp or ACADDOC.lsp and check to see if they are dodgey - and if so, get rid of them.

thank you lee mac for your reply

i used search for all acad lisp and deleted but in vain the file still created my be there is another solution

Did you check your WHOLE computer for any ACAD.lsp / ACADDOC.lsp files? Also, check if you have any LISP routines that you have loaded recently for any dodgy stuff...

I checked every corner of my computer hidden files

and deleted all acad lisp then treid to open any dwg the acad lsp created in the same bath

may be the mother file has a diffrent name

I faces the same problem

This is autocad virus

this lisp changes variables and some comands such as EXPLODE, XREF and XBIND

to prevent this issue

- Morton has a solution

http://www.symantec.com/security_response/writeup.jsp?docid=2005-111717-2608-99&tabid=3

- another solutions from Autodesk

http://usa.autodesk.com/adsk/servlet/ps/item?siteID=123112&id=12903754&linkID=9240617

http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=13717811&linkID=9240617

Load these lisps at the system

http://www.cadnauseam.com/download/clean_virus_safe.lsp

http://www.blog.cadnauseam.com/2009/08/14/autocad-virus-protection-update/

- Make Autocad Support folder as read only, Ask IT department for this step

uhh.. don't anyone open that file they attached if it's infected..

I removed the attachment for precautionary reasons.

For what its worth, I should think the malicious code would function along these lines: A source will send you a drawing with the acad*.lsp file in the same folder, you open the drawing and AutoCAD will automatically load any acad.lsp files it finds (as it is programmed to do so).

The acad.lsp file that is in the folder will contain code to first search various locations on your computer (most probably hidden locations) for any acad.lsp files and will proceed to write itself to those locations. Furthermore, after copying itself it will also contain code to change various systems variables / redefine certain commands so that they act unlike how you would expect them to.

More worrying is the fact that anyone mildly proficient in LISP can easily change registry settings on a computer and this could really do some damage.

Its a difficult one to get rid of as it could be writing itself to a number of locations in the acad search path, or even appending itself to existing acaddoc.lsp or other acad*.lsp files. The only way I would think one could remove such an infliction would be to delete all instances of the file and any malicious code contained in other such files (without opening ACAD whilst doing so), and of course delete the original file.

My advice to anyone reading this thread - when receiving lsp or other executable files from anyone, check the file before you open anything AutoCAD related and, if in doubt, ask the source of the purpose of the additional files, and/or delete them.

In my experience, I do not run any code on my PC unless either I have written it or I have studied the whole code to look for anything untoward. Of course, this is easier for someone who knows a thing about LISP, but, most onlookers can see the purpose of code by the nature of the expressions contained within. And, of course, if anything has been purposefully hidden (using character code shifting etc), then this is a definite no no.

My humble opinion on such matters,

Lee

Thanks Lee.. are there specific words to be especially wary of? (like commands that can change the registry, etc?)

For example, if I saw something like:

Delete *.*

I'd know it was up to no good?

That is the reason I run spybot s&d with teatimer. Any changes to the registry must be manually approved by me. Mcafee has a similar function available.

Thanks Lee.. is there specific words to be especially wary of? (like commands that can change the registry, etc?)

Good question Mike,

In most cases, as I say, code will be intentionally disguised to hide its purpose using character codes, for example:

(strcat "(" (chr 97) (chr 108) (chr 101) (chr 114) (chr 116) (chr 115) (chr 117) (chr 114) (chr 112) (chr 114) (chr 105) (chr 115) (chr 101) ")")

Or more simply just something like a list of ASCII codes to be read by a function like vl-list->string.

(40 97 108 101 114 116 32 34 115 117 114 112 114 105 115 101 34 41)

Which makes things difficult to spot, but you want to look out for expressions like:

(eval (read .... ))

Which would read the above strings and evaluate their code.

As far as the registry goes, the getenv and setenv functions will write read and write registry keys within the location:

HKEY_CURRENT_USER\Software\Autodesk\AutoCAD\RXX.X\ACAD-XXXX:XXX\FixedProfile\General

But the more powerful vl-registry-write / vl-registry-read / vl-registry-delete / vl-registry-descendents can manipulate the entire registry.

Obviously there is the usual System Variable changing code, using the setvar function or more simple calling the System Variable from the command line and changing its value there.

Also, there are the file manipulation functions, such vl-file-delete / vl-file-copy / vl-mkdir etc - bear in mind that vl-file-delete will bypass the recycle bin...

Another nasty trick can be to download files to the user's computer from a location on the internet (yes it can be done with LISP), these files could of course be anything - including viruses. Look out for such functions as vla-getRemoteFile (coincidentally I use this method in my Point Manager program to download the Help file).

I suppose another trick would be to open the user's browser to a malicious website using perhaps the startapp function or otherwise.

That's about all the malicious things I can think of at the moment, but I'm sure there are other ways that sad individuals come up with to reap havoc on others.

Lee

Thanks, it seems like this is pretty useful stuff. I didn't realize you could do THAT much with LISP. I appreciate you spelling it out for me.

Thanks, it seems like this is pretty useful stuff. I didn't realize you could do THAT much with LISP. I appreciate you spelling it out for me.

You're welcome.

To be honest with you Mike, there really isn't too much you can't do with LISP (one of the reasons for it's popularity) - unless you want to venture into manipulating the inner workings of AutoCAD or indeed create standalone programs without the reliance on AutoCAD, LISP is quite sufficient in most cases. With the addition of the ActiveX modules, one can interface with most Microsoft Objects and hence manipulate a great deal.

Lee

Indeed... recognizing that this is a hell of an open-ended question,,

If I could bother you with a further request.. ?

Could you point me to a thread or something that discusses options for the very beginning of learning to use LISP from the perspective of someone who understands programming on a conceptual level, but has no hands-on programming experience worth noting, beyond early forms of "BASIC"..?

Here are a few links from my collection:

Starting LISP:

http://www.afralisp.net/

http://www.jefferypsanders.com/autolisptut.html

http://ronleigh.info/autolisp/index.htm

More Advanced LISP Tutorials/Help:

http://augiru.augi.com/content/library/au07/data/paper/CP311-4.pdf

http://mitpress.mit.edu/sicp/full-text/book/book-Z-H-4.html

http://www.cs.cmu.edu/afs/cs.cmu.edu/project/ai-repository/ai/html/cltl/clm/node1.html

Explanation of a LISP function (Text replacement):

http://www.cadtutor.net/forum/showpost.php?p=264546&postcount=15

Explanation of a LISP function (Text Height Change):

http://www.cadtutor.net/forum/showpost.php?p=306576&postcount=14

Explanation of a LISP function (Reinsert all blocks @ 0,0,0):

http://www.cadtutor.net/forum/showpost.php?p=309366&postcount=15

Each is of varying programming level.

The 'tutorial' type will get you going quicker - but the 'Advanced' links are more for the programming concept.

Great! Thanks!

You're welcome Mike, and if you have any question about anything posted in any of those links - just shout.

hello

some one gave me autocad drawing with some extra files

I think I'd have a "Come to Jesus" meeting with whoever it was that gave you that drawing and the associated files!!

I'd give his butt a taste of leather boot too!!