Home / malwarePDF  

Worm:ALisp/Kenilfe.F


First posted on 12 March 2013.
Source: Microsoft

Aliases :

Worm:ALisp/Kenilfe.F is also known as TR/Acad.Dwgun.f (Avira), ACAD.Bursted.21 (Dr.Web), ALS/Bursted virus (ESET), Trojan.Acad (Ikarus), Trojan.Acad.Dwgun.f (Kaspersky), ALS/Bursted (McAfee), Trojan.Script.Lisp.ACAD.jk (Rising AV), AL/Bursted-AR (Sophos), ALS.Kenilfe (Symantec), ALS_KENILFE.HDS (Trend Micro).

Explanation :



Installation

Worm:ALisp/Kenilfe.F creates copies of itself as the following:

  • <install folder for AutoCAD>\acad.fas
  • %windir%\DivX.fin -


Worm:ALisp/Kenilfe.F creates the following registry entry, in which it stores configuration information:

HKCU\Software\FileKen\settings

Spreads via...

AutoCAD

Worm:ALisp/Kenilfe.F looks for AutoCAD installations in your computer or your network. If any are found, it copies itself into the installation folder as "acad.fas".

It also enumerates all drives accessible from your computer, including removable drives. It then checks if any AutoCAD-related files are in the drive. If some are found, Worm:ALisp/Kenilfe.F then copies itself to the same location as the AutoCAD files, using the file name "acad.fas". It then creates an infection marker file in the root of the drive named "pagefile", to prevent duplicate copies of the worm file being created.



Payload

Downloads arbitrary files

Worm:ALisp/Kenilfe.F connects to the server "updatebd.8800.org" to receive an IP address. It then downloads arbitrary files from the server in the received IP address. In the wild, Worm:ALisp/Kenilfe.F has been observed to download from the server "cadgs.com".

Deletes files

Worm:ALisp/Kenilfe.F deletes the following files, if you have them in your computer:

  • acad.fas1
  • isohztxt.shx
  • isomianyi.shx
  • logo.gif


Renames files

Worm:ALisp/Kenilfe.F renames the following files by appending the string "_bak" to them; for example, "acad.lsp" becomes "acad.lsp_bak":

  • acad.lsp
  • acad.sys
  • acad.vlx
  • acadapp.lsp
  • acadappp.lsp
  • acadapq.lsp
  • acadiso.lsp
  • acadsmu.fas
  • dwgrun.bat
  • isohztxt.shx
  • lcm.fas
  • winfas.ini




Analysis by Daniel Radu

Last update 12 March 2013

 

TOP