Home / malware Worm:ALisp/Kenilfe.D
First posted on 08 June 2019.
Source: MicrosoftAliases :
There are no other names known for Worm:ALisp/Kenilfe.D.
Explanation :
Worm:ALisp/Kenilfe.D is a detection for a worm written in Autocad Lisp, which is distributed as a Autocad FAS file, 21,513 bytes in size.
Installation
When run, the worm makes a copy of itself in the following location:
acad.fas
whereis the installation location for Autocad.
xtautoz.shx
whereis the fonts location for Autocad.
The worm also stores configuration information in the following registry location:
HKCUSoftwareFileKensettings Spreads via...
Remote shares
The worm searches for Autocad installations and copies itself to the install locations which may be local or remote.
Removable drives
The worm enumerates all drives, checking for removable drives. If found, the worm checks for Autocad related files. If found, it then copies itself to the same location as the Autocad file, as acad.fas, and creates an infection marker file on the root drive named pagefile, to prevent duplicate copies of the worm file being created.
Payload
Downloads and executes arbitrary files
The worm runs the ping command on the following host:
rmytwsjxx.2288.org
Then, depending on the IP address returned, it can download and execute a different file from the following domain:
cadgs.com
The worm can also download and execute other Autocad FAS files from the following domain:
fwwdym.2288.org
Steals sensitive information
The worm copies files to the following directory:
C:Bakdirectory
The worm then uploads those files to the following remote host using the File Transfer Protocol (FTP):
fwwdym.2288.org
Deletes files
The worm checks for the following files, and if found, deletes them:
acad.fas isomianyi.shx acad.fas1 lcm.fas isohztxt.shx arxfucker.dll acad.sys acadsmu.fas acadapq.lsp acadappp.lsp acadapp.lsp dwgrun.bat winfas.ini acadiso.lsp
Modifies files
The worm modifies the following file:
acad.mnl
By appending a script to the above file, which will replace the file "acad.fas" with a copy of "txtautoz.shx".
Modifies system settings
The worm may change the following registry entries to enable execution of scripts:
HKLMSOFTWAREMicrosoftWindows Script HostSettingsEnabled HKCUSOFTWAREMicrosoftWindows Script HostSettingsEnabled
Analysis by Ray RobertsLast update 08 June 2019
