There is a virus being reported by a couple AutoCADbased product customers. The original virus first popped up in 2005 and was very limited but has been changed slightly. Some antivirus software does detect this virus and remove it. Many great people worked behind the scenes over the past week to research and publish a solution.
The virus spreads simply by someone placing the malicious acad.vlx in a directory with the DWG files or a support path location being opened and then spreads from there into open DWG files and by replicating itself.
The below LISP code detects and deletes any acad.vlxfile before AutoCAD attempts to load it, preventing the spread of the virus. The possible random strings written to the DWGfile by the acad.vlx appears to be harmless. The malicious file acad.vlx is not an Autodesk file.
Update: Check with your CAD Manager or fellow employees to make sure you have not named your own customization as "logo.gif "or "acad.vlx" as the below LISP will not check the version but remove any file named logo.gif or acad.vlx. There is a file checksum published here AutoCAD malware: ACAD.VLX:
The Autodesk Technical Solution IS being published.to the AutoCAD Support Page and also being mentioned on the Support Blog – Without A Netby Tom Stoeckel:
ID: TS13717811
Published date: 2009-Aug-07
http://usa.autodesk.com/getdoc/id=TS13717811
Issue
Users of AutoCAD-based products have reported a malicious acad.vlx file that causes drawing corruption.
Solution
This is not an actual AutoCAD file provided by Autodesk. When the malicious acad.vlx file is loaded in AutoCAD, it corrupts the drawing, which may result in a Missing Language Pack dialog box displaying when you save and reopen the drawing.
The acad.vlx file creates a copy of itself in the Help folder (for example, C:\Program Files\AutoCAD 2010\Help\logo.gif). Several other files are also modified and the ACADLSPASDOC system variable is set to 1, allowing the acad.vlx file to be loaded into other opened drawings, thereby corrupting them.
The cleanup process outlined below detects and deletes any acad.vlxfile before AutoCAD attempts to load it, preventing the spread of the virus.
To prevent additional file corruptions
- You must be a system administrator on your Microsoft® Windows® operating system to complete this process.
- In your product installation folder, locate the Support folder (for example, C:\Program Files\AutoCAD 2010\Support).
- In the Support folder, double-click the acad20xx.lsp file (for example, the acad2010.lspfile). Add the code below to the file. AutoCAD will detect and delete the acad.vlx and logo.gif files.
(defun cleanvirus( / lspfiles lspfile x) (setq lspfiles '("acad.vlx" "logo.gif")) (foreachlspfile lspfiles (while(setq x (findfile lspfile)) (progn (vl-file-delete x) (princ "\nDeleted file ") (princ x) );progn );while );foreach) (cleanvirus)
- Open each of the following files:
- C:\Program Files\AutoCAD 20xx\Express\acetauto.lsp
- C:\Program Files\AutoCAD 20xx\Support\ai_utils.lsp
- ROAMABLEROOTPREFIX\Support\acad.mnl
Note: Replace ROAMABLEROOTPREFIXwith the value returned by the ROAMABLEROOTPREFIX system variable.
- If present, delete the following line of code:
(vl-file-copy(findfile(vl-list->string'(108 111 103 111 46 103 105 102)))(vl-list->string'(97 99 97 100 46 118 108 120)))
- Save each file.
End of Solution Document.
<hurley_warped_humor_alert> Many times some precautions can prevent most risks of malware or virus by maintaining vigilance on what files are allowed into your environment as well as running up to date antivirus software. This is common sense and like knowing what direction the dog is pointing before you pet it in a dark room or not golfing downwind of Tiger Woods or the golf announcer. hurley_warped_humor_alert>
For more tips on preventing virus in AutoCAD see AutoCAD and Viruses
Shaan
Good idea about knowing which way the dog is pointing! =)
Won’t that code just blindly delete all files called acad.vlx and logo.gif that it finds in the current user’s current search path? What if they include legitimate files? This solution seems a little dangerous to me.
Shaan,
Thanks for raising this to everyone’s attention.
Can you please clarify whether AutoCAD LT is affected by this “Malicious Code”?
Steve,
You are correct it deletes the files but there is not really anyway to identify the files as they would be morphed again. I do not know of any concerns regarding deletion of acad.vlx or the logo file when weighing its impact versus an active infection in a persons AutoCAD environment.
Perhaps we could reference a checksum of the current known files and update it in the solution?
Cheers,
Shaan
JGA,
This acad.vlx issue while remote in risk to AutoCAD users does not affect AutoCAD LT.
Thank you for the question.
Cheers,
Shaan
Deleting any files without consent is always a concern. It’s perfectly possible for acad.vlx to be a legitimate (and vital) file in a custom AutoCAD environment, and logo.gif could be a legitimate file in anybody’s environment.
A checksum would be OK for this iteration of the problem, but then you’re getting sucked into creating and maintaining anti-virus software. It would set up an expectation of Autodesk updating the checksum every time a new idiot with a modified virus comes along. I think I’d prefer Autodesk to put its efforts into helping people detect and clean up the effected drawings.
As Jimmy Bergmark suggested on my blog, maybe it would be better to just rename the files and inform the user. I may have a look at doing something along those lines myself.
The post mentions that some antivirus software does detect and remove the virus. Does anyone know what products do detect and remove this virus?
Steve,
Thank you for the feedback. We wanted to get the solution out for the few impacted by this problem. I will see if we can add some wording about backing up the files should they know they have valid acad.vlx and logo.gif.
We continue to actively work for more of a comprehensive solution.
Shaan
CJB,
There appears to be a few antivirus vendors that detect the issue such as Symantec, TrenMicro, Microsoft, and a few others. I could not even mail a zipped bad acad.vlx as our email system would remove it.
Best Regards,
Shaan
I’ve done a safer version that renames the files, and will post it on my blog soon after some more testing.
Thank you Steve. We are still researching other methods.
Sophos has a blog post as well with the checksum of the current known version. http://www.sophos.com/blogs/sophoslabs/?p=5969
Best Regards,
Shaan
Another variant “Drawing displays “MUST re-cover!” when opened via Windows® Explorer” http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=13742026&linkID=9240617
yeah I recieved an infected file with the “Must re_cover” msg – the thing is that after deleting the acad.vlx etc files the drawing that first appeared with this msg does not show anything but this text even though the audit shows x number of entities – the layers are all frozen and locked but unlocking/thawing them does not seem to fix it either…
It corrupts the file!!!
anyway I add the code to a batch file and distribute in my office – I work in Sales and we get a lot of drawings from clients hence prone to this attack
We are working on a long term solution to malicious code.
How do I turn the Missing Language Pack dialog box back on if I checked to turn it off. I would like to be able to trouble shoot the problem if I can get the box to appear again.
Thanks,
Paul
I am getting the “Missing Language Pack” box, but have not found a virus using the above methods.
Is there a way to eliminate the missing languages?
Thanks,
Chad
Update: I get the message after creating a new file from template, saving, and reopening.
I do not have acad.vlx or logo.gif. I’ve reported it to Autodesk and waiting for response.
So I’ve seen solutions in how to PREVENT this virus and checked for existence of the acad.vlx and logo.gif. Has anyone come up with a solution on how to FIX any drawings which are get the “Missing Language Pack” dialog? – Thanks, Kevin
The only way I have been able to fix drawings with the Missing Language Pack error is to copy the contents to a new drawing with a copy and paste. It’s not the most tech savvy method but it has worked for me numerous times.
a new virus just turned my life upside down :
virus.acad.pasdoc.ad
we all know there is two way to work in Autocad
1-Enter a command first, and then select objects
or
2-select the objects first, and then enter a command
OK.this virus cancel option 2
every time i select an object and apply a command it does not work .
Kaspersky found the virus and delete it from the usb flash but after i opened it and it did not cancel the affect of the virus
pleaseeeeeeeeeeeeeeeeeeeee help me.
I am using Autocad 2012 64x
and thanks in advance
Amman in your case it might not be a virus but rather the way you are setup in AutoCAD. Set Pickfirst is set to 1 to get selection the way you want.
Regards,
Shaan
My Computer is affected vlx virus files,but idont see acad20xx.lsp file in my computer,Any another name in these files Plese clarify where is location of this file in my computer,
Mathew
I would suggest reviewing the Kkowledge Base articles on this topic
http://usa.autodesk.com/getdoc/id=TS13717811
Regards,
Shaan
can anyone clarify step 3 please concerning
ROAMABLEROOTPREFIX\Support\acad.mnl
i didn’t get it well :S