Home / malwarePDF  

Virus:ALisp/Bursted


First posted on 16 October 2013.
Source: Microsoft

Aliases :

There are no other names known for Virus:ALisp/Bursted.

Explanation :

Threat behavior

Installation

When you open a file with AutoCAD, it will also automatically open any files in the same folder with the file name acad.lsp. This virus takes advantage of this feature by copying itself into the same folders as your drawing files with the file name acad.lsp. Therefore, when you open a drawing file, the virus will also run.

The virus then makes a copy of itself in the AutoCAD script path, which it locates by searching for the file base.dcl. Usually, this path is:

%APPDATA% \autodesk\autocad <year>\r<version number>\enu\support

The file name that the virus uses can change depending on the variant, for example, we have seen Virus:ALisp/Bursted.A use acadapp.lsp.

The virus also modifies the original, legitimate acad.lsp file located in the same folder as the base.dcl file, with instructions to load the virus's copy (in the case of Virus:ALisp/Bursted.A, this file would be acadapp.lsp).

Spreads via...

Sharing drawings in compressed archives

The virus copies itself into folders that contain your drawing files. If you compress those folders to share your drawings, you will also include the copy of the virus.

Then, when someone opens the archive and loads the drawings, the virus will run.

Payload

Changes AutoCAD settings and displays messages

Early variants of Virus:ALisp/Bursted un-define various AutoLisp commands, such as the following:

  • explode
  • xbind
  • xref


The virus then attempts to replace these commands with its own code.

The virus also defines the command "burst", which causes the following message to be displayed:



When translated into English, the message says "Explode the text in the picture, then it becomes solid".

Deletes AutoCAD drawings and software

Some variants try to delete your drawing files and other related CAD software.

Displays messages

Certain variants also display messages, such as the following:





Analysis by Raymond Roberts



Symptoms

The following could indicate that you have this threat on your PC:

  • You see these messages when you use AutoCAD:



Last update 16 October 2013

 

TOP

Malware :