ALS/Bursted.gen.b

This page shows details and results of our analysis on the malware ALS/Bursted.gen.b

Overview

This is virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

Emsisoft    -    Trojan.ACAD.Bursted.N (B)
F-Secure    -    Trojan.ACAD.Bursted.N
Kaspersky    -    Virus.Acad.Bursted.a
Sophos        -    AL/Bursted-AJ
Microsoft    -    Virus:ALisp/Bursted.CC   


Minimum Engine

5600.1067

File Length

Varies

Description Added

2012-09-27

Description Modified

2013-01-08

Malware Proliferation

Characteristics

ALS/Bursted.gen.b is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications.

The virus firsts gets the file name using the below command and if the file name is Drawing1.dwg is then it saves the file to “My Documents” folder as Drawing1.dwg.

Lsp command: getvar "dwgname"

Then the virus searches for the “base.dcl” file path, in order to locate AutoCAD Support directory (%AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\).

The virus check for the presence of “acadappp.lsp” in the AutoCAD Support directory, if the file does not exist then it copies itself as "acadappp.lsp" to the AutoCAD Support directory and it will execute when the drawing file is opened, this file is automatically loaded by AutoCAD which causes the virus to get executed.

The virus also infects the “acad.mnl” file in the AutoCAD Support directory, by appending the following command:

(load "acadappp.lsp")
(princ)


Whenever the user tries open the *.dwg it checks for the existing "acad.lsp” file and “acadapp.lsp” if those files are found then it tries to read the first line to verify the following syntax “;;;”. If the syntax is not found, it replaces the file content as “;;;”.

It also copy itself as "acad.lsp” located in the current working directory alongside the *.dwg files. 

Upon execution the following files are added to the system
  • %AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acadappp.lsp
  • [*.dwg current working directory]\acad.lsp
Upon execution it also tires to connect the following domain
  • FS1

Symptoms

Presence of the above mentioned behavior

Method of Infection

Viruses are self-replicating.

It automatically infects "acad.lsp" and “acad.mnl” files in the compromised machine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants