monk Posted August 30, 2011 Posted August 30, 2011 Hello, I have been reading through other threads and researched as much as I can about this worm. We are not having much success. We don't have any ACAD.VLX files created or in existence nor LOGO.GIF. Our symptoms are wherever we open a DWG from we get an acaddoc.lsp file created and this is also present in our support folder. I have looked at the code within and pretty sure this code is self replicating. We need to clean our servers, which is fine just delete all instances of the file (I am aware that these files can contain useful code) Tackling local machines is trickier, is there an antidote which we can load onto peoples autocad as a lisp to clean the files? I have looked into KillWorm and it looks for acad.vlx and logo.gif. Does it search for acaddoc.lsp? Does it clean this file? Can i send the code to someone perhaps to tell me exactly what it does? Quote
BlackBox Posted August 30, 2011 Posted August 30, 2011 Try this: You can download an autolisp code to find and kill the virus (or worm) and vaccine all infected files from the following addresses:1- http://www.irancad.com/irancadsd_content/media/image/2011/01/121_orig.zip - fas version of the lisp program 2- http://www.cadtutor.net/forum/attachment.php?attachmentid=26929&d=1302241532 - from the forum: http://www.cadtutor.net/forum/showthread.php?58117-acad-viruse/page2 3- http://cadtips.cadalyst.com/download_count.php?nid=2292&file=KillWorm-for-Cadalyst.zip&year=2011 - Some explanations about that is here: http://cadtips.cadalyst.com/lisp-code-modules/killworm HTH Quote
monk Posted August 30, 2011 Author Posted August 30, 2011 We tried another Fix, acaddocfix_1.6 which works much better for us. I was a bit eager on my first post! This will get deployed on our network and should self cure in a way! Quote
BlackBox Posted August 30, 2011 Posted August 30, 2011 Always happy to not help. Edit: ^^ Copyright pending, LoL Quote
alanjt Posted August 30, 2011 Posted August 30, 2011 Always happy to not help. Edit: ^^ Copyright pending, LoL rofl I need to start collecting royalties from you. Quote
monk Posted August 30, 2011 Author Posted August 30, 2011 It was brought to my attention by another user in another branch. I have only been at this particular company full time just over a month. I suspect we probably just got a lisp file with this code in it from an outside source. It looks like a self replicating code that just creates acaddoc.lsp and inserts the code again. I will be happy to forward the code as long as you know what you are doing. Obviously I will rename the lisp. You shouldnt load this within CAD and should only be looked at in notepad or similar. Would be interested if anyone can annotate my lisp and just tell me the steps it goes through. Quote
LibertyOne Posted September 1, 2011 Posted September 1, 2011 It was brought to my attention by another user in another branch. I have only been at this particular company full time just over a month. I suspect we probably just got a lisp file with this code in it from an outside source. It looks like a self replicating code that just creates acaddoc.lsp and inserts the code again. I will be happy to forward the code as long as you know what you are doing. Wow! Just what the AutoCAD world needs...recursive destruction... ...there is always that one nut out there who spoils it for the rest of us... Quote
monk Posted September 1, 2011 Author Posted September 1, 2011 Fortunately this is just a worm, So is just self replicating but it is dormant. So only replicated when autocad opens the lisp. These have been around for a while. We have got a programme together to cure our network so think we are ok on this! Fortunately its not a malicious piece of code. Quote
BlackBox Posted September 1, 2011 Posted September 1, 2011 roflI need to start collecting royalties from you. ... I knew you'd appreciate the 'copyright pending' bit!? LoL One of my favorite forum quotes ever. Quote
ReMark Posted September 1, 2011 Posted September 1, 2011 (edited) Always happy to not help. Edit: ^^ Copyright pending, LoL Think of it as all the keystrokes you didn't waste by responding. Edited October 23, 2013 by ReMark added the word 'by' Quote
rzavisca Posted October 8, 2013 Posted October 8, 2013 Regarding your post, below, from a couple of years ago, I am very interested in the fix that you applied to resolve the problem. My firm has the exact same symptoms that you had, and I've been scouring the internet for a solution with limited success. The only cleaning methods I've found relate to the VLX file and logo.gif file which are not present on our systems. Can you tell me where to find the fix that you applied? I'd be so grateful. Thanks. We tried another Fix, acaddocfix_1.6 which works much better for us. I was a bit eager on my first post! This will get deployed on our network and should self cure in a way! Quote
SLW210 Posted October 8, 2013 Posted October 8, 2013 Did you try the links in post #2? acaddocfix_1.8 can be found HERE. Quote
rzavisca Posted October 23, 2013 Posted October 23, 2013 I did see the three links that were provided earlier in this thread (numbered 1, 2 and 3) but none of them worked. The Killworm.lsp routine found no infection. Those links seem to seek out the VLX and logo.gif files, which as I mentioned are not even present on our systems. I thought maybe acaddocfix_1.6 or 1.8 might help in my case, but when I got to the linked page and try to download 1.8, my anti-virus program prevents it, with this message: "Rating: Dangerous Verified fraudulent page or threat source." If anyone has further ideas or solutions, please do let me know. The acaddoc.lsp files are still self-replicating into any folder where we open a DWG file, although there still appear to be no other harmful effects. Thanks. Quote
ReMark Posted October 23, 2013 Posted October 23, 2013 You could go nuclear on the worm by uninstalling then reinstalling AutoCAD. One caveat though...follow the specific procedure for ensuring a clean installation environment that AutoDesk has posted on their website. http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=2887771&linkID=9240617 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.