SecurityHome.eu Trojan:ALisp/Qfas.B

Home / malware PDF

Trojan:ALisp/Qfas.B

First posted on 01 June 2012.
Source: Microsoft
Aliases :
There are no other names known for Trojan:ALisp/Qfas.B.
Explanation :

Trojan:ALisp/Gofas.A is a detection for a trojan written in Autocad Lisp (the scripting language used by AutoCAD), which is distributed as a 3,000 byte Autocad FAS file.

Installation

When run the trojan checks for the following variables:

"DWGPREFIX" - this is the location prefix for a drawing

"MENUNAME" - this contains the path to the customization file

If found, the trojan copies itself to these locations as "acad.vlx".

The trojan then searches for the file "acad.exe", and if found, the trojan copies itself to this location under the directory "Help" as "logo.gif".

The trojan may also create the following file:

temp.txt

Payload

Modifies files

The trojan searches for the following files:

acad.mnl

ai_utils.lsp

acetauto.lsp

<location of acad.exe>\UserDataCache\Support\acad.mnl

And if found, the trojan modifies the files to include script which copies the file logo.gif to acad.vlx.

Analysis by Ray Roberts

Last update 01 June 2012

TOP

Malware :

Last 20

Family:

Trojan:ALisp/Qfas.B