Home / malware Virus:ALisp/Dwgun.A
First posted on 07 August 2019.
Source: MicrosoftAliases :
Virus:ALisp/Dwgun.A is also known as ACAD/Dwgun, ACAD/Dwgun.A, ALS/Dwgun.a, AutoLISP/DWgun.A, ACAD.Grun, Trojan.Acad, Trojan.Acad.Dwgun.a, Trojan.Win32.ACAD.t, Troj/Dwgun-A, ALS_DWGUN.A.
Explanation :
Virus:ALisp/Dwgun.A is a virus that targets installations of AutoCAD software.
It arrives in the computer with the file name "acad.fas", along with a drawing file (with the DWG extension). When the DWG file is launched, Virus:ALisp/Dwgun.A is automatically loaded and executed by AutoCAD.
Installation
Once executed, Virus:ALisp/Dwgun.A performs the following actions:
Sets the "ACADLSPASDOC" system variable to 1 - this makes AutoCAD load the virus every time a drawing opens Copies itself to the default Windows folder as "winfas.ini" Copies the file "acad.sys" (which is bundled with it) to the default Windows folder as "winsys.ini" Undefines all commands in the "acad.sys" file, for example, "explode" Creates the file "%windir%system32dwgrun.bat" - also detected as Trojan:BAT/Dwgun.A; this file copies back "winsys.ini" and "winfas.ini" from the Windows default folder to AutoCAD-related folders as hidden files
Virus:ALisp/Dwgun.A adds itself to the registry so that it starts every time Windows starts up:
In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "dwgrun"
With data: "%windir%system32dwgrun.bat"
Spreads via...
Installation infection
Virus:ALisp/Dwgun.A searches for all AutoCAD-related folders and copies the following files in found folders:
acad.fas - copy of this virus acad.sys
It spreads itself in this way because Virus:ALisp/Dwgun.A changes AutoCAD settings to load itself every time a drawing opens (see Installation section).
Additional information
Subsequent runs of Virus:ALisp/Dwgun.A result in the following message printed on the command line:
"成功完成复制!作者QQ:280745878"
Analysis by Marian RaduLast update 07 August 2019
