Virus.Acad.Pasdoc.i

Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Shuts down AutoCAD.
  2. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


    md5: 470170EA8BD67280E0BF12780088A5A1 sha1: BECFB104920B45DBB73819F14CF3A0885AABFA6E

    Payload

    The malicious script is written in standard AutoCAD scripts that are launched each time the application is started.


    It looks for the directory where the file named "acad.exe" is located. If the directory is found, it looks for the sub-directory named "support" and infects all of the files with the "lsp" extension by adding its body. It adds a file named "acaddoc.lsp" to the list of files to be infected:

    <directory containing the file "acad.exe">\support\*.lsp
    <directory containing the file "acad.exe">\support\acaddoc.lsp
    

    The virus determines the path to the directory from which it opens the current scheme (if the scheme was opened and not created) and adds its body in the file named "acaddoc.lsp":
    <current scheme directory>\acaddoc.lsp
    

    The virus also looks for the directory where the file named "acad.mnl" is located and infects all of the files with the "mnl" extension, again adding its body:
    <directory containing the file "acad.mnl">\*.mnl
    

    The virus runs the commands to open the "acad.lsp" file when creating or opening each scheme and to enable the single-window AutoCAD mode. It also prevents the following commands from running:
    line
    _line
    xref
    _xref
    explode
    _explode
    
    (line – constructs line segments; xref - manages internal links; explode - breaks up composite objects).

    Technical Details

    A trojan program that infects the AutoCAD file on the user's computer. Written in AutoLISP language, an internal AutoCAD language. 3262 bytes.