Home / malwarePDF  

Virus:ALisp/Dwgun.B


First posted on 09 August 2011.
Source: SecurityHome

Aliases :

Virus:ALisp/Dwgun.B is also known as Worm.Acad.HighLight.b (Kaspersky), ACAD/Bursted.C (AVG), ALS/Agent.AA worm (ESET), Worm.Acad (Ikarus), ALS/Bursted (McAfee), AL/Bursted-U (Sophos), ALS.Bursted.A (Symantec), ALS_CHENGWA.B (Trend Micro).

Explanation :

Virus:ALisp/Dwgun.B is a malware that targets installations of AutoCAD software. It may also download files and change certain computer settings.


Top

Virus:ALisp/Dwgun.B is a malware that targets installations of AutoCAD software. It may also download files and change certain computer settings.



Installation

When run, Virus:ALisp/Dwgun.B makes a copy of itself in the following locations:

  • <AutoCAD installation folder>\acad.fas
  • <current folder>\acad.fas
  • %windir%\DivX.fin
  • <system folder>\SHFR.CMD
  • %ProgramFiles%\AutoCAD\Fonts\isohztxt.shx


Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Virus:ALisp/Dwgun.B also sets the "ACADLSPASDOC" system variable to 1 - this makes AutoCAD load the virus every time a drawing opens.

Virus:ALisp/Dwgun.B stores configuration information in the following registry location:

  • HKCU\Software\FileKen\settings
Spreads via...

Installation infection
Virus:ALisp/Dwgun.B searches for Autocad installations and copies itself to the install locations, which may be local or remote.

It spreads itself in this way because it sets a system variable so that it automatically executes when a drawing opens (see Installation section).



Payload

Downloads and executes arbitrary files
Virus:ALisp/Dwgun.B connects to "update<removed>.8800.org", which returns an IP address. This malware then attempts to connect to "<removed>adgs.com" and download and execute certain files, depending on the returned IP address.

Modifies system settings
Virus:ALisp/Dwgun.B may change entries in the following registry subkeys to enable the execution of scripts:

  • HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled


It may also change the computer date to February 14, 2003 and stop the "SharedAccess" service.



Analysis by Marian Radu

Last update 09 August 2011

 

TOP

Malware :

Family: