This page shows details and results of our analysis on the malware ALS/Bursted.gen.b

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: AutoLisp
  • Protection Added: 2012-09-27

This is virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Emsisoft    -    Trojan.ACAD.Bursted.N (B)
F-Secure    -    Trojan.ACAD.Bursted.N
Kaspersky    -    Virus.Acad.Bursted.a
Sophos        -    AL/Bursted-AJ
Microsoft    -    Virus:ALisp/Bursted.CC   

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

ALS/Bursted.gen.b is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications.

The virus firsts gets the file name using the below command and if the file name is Drawing1.dwg is then it saves the file to “My Documents” folder as Drawing1.dwg.

Lsp command: getvar "dwgname"

Then the virus searches for the “base.dcl” file path, in order to locate AutoCAD Support directory (%AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\).

The virus check for the presence of “acadappp.lsp” in the AutoCAD Support directory, if the file does not exist then it copies itself as "acadappp.lsp" to the AutoCAD Support directory and it will execute when the drawing file is opened, this file is automatically loaded by AutoCAD which causes the virus to get executed.

The virus also infects the “acad.mnl” file in the AutoCAD Support directory, by appending the following command:

(load "acadappp.lsp")

Whenever the user tries open the *.dwg it checks for the existing "acad.lsp” file and “acadapp.lsp” if those files are found then it tries to read the first line to verify the following syntax “;;;”. If the syntax is not found, it replaces the file content as “;;;”.

It also copy itself as "acad.lsp” located in the current working directory alongside the *.dwg files. 

Upon execution the following files are added to the system
  • %AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acadappp.lsp
  • [*.dwg current working directory]\acad.lsp
Upon execution it also tires to connect the following domain
  • FS1
Presence of the above mentioned behavior

Viruses are self-replicating.

It automatically infects "acad.lsp" and “acad.mnl” files in the compromised machine.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).