Another AutoCAD malware warning

Another AutoCAD malware warning

Shaan Hurley has posted some useful information about another AutoCAD-based virus that is doing the rounds, and I strongly suggest you read it. However, I have some reservations about the solution that is posted there and in the Autodesk knowledgebase.

The LISP code suggested will delete any files called acad.vlx or logo.gif that are located in the current user’s current AutoCAD search path. There are a couple of problems with that.

  • The search path will change depending on the user, the profile, the startup folder and the drawing folder. That means you can’t just use the code once and expect the problem to go away; the code will need to remain in place permanently to ensure it does not recur. That may not be a huge problem, although it will have a performance penalty (particularly where the search path is long and/or includes network paths) and it is one more thing to remember to carry over to future releases.
  • More importantly, the code has no idea if the files it is deleting are legitimate or not. It is quite possible for a custom environment or third-party utility to make use of a file called acad.vlx, and there are all sorts of reasons you may have a logo.gif file floating around. The Autodesk code will just erase such files without prior warning, which is a bit naughty.

I commend Shaan and Autodesk for posting this information and proposed solution. However, I recommend caution before using this code as suggested. Check with your CAD Manager (if you have one) first to ensure there are no legitimate acad.vlx files in your environment. Do a search for these files yourself and see if there is a legitimate reason for them being where they are.

As with most malware attacks, taking care with incoming files is a very important part of the solution. Don’t just blindly use the contents of a zip file full of drawings, even from a trusted source. If somebody sends you a zip file containing an acad.vlx file, let the sender know about the problem and ask for an uninfected set of files.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.