Home / malware Trojan:ALisp/Gofas
First posted on 24 October 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:ALisp/Gofas.
Explanation :
Threat behavior
The Gofas malware family targets AutoCAD and can modify AutoCAD system files.
Installation
Variants in this family are usually distributed as FAS files in a VLX container file acad.vlx. They are stored together with a drawing so they can take advantage of the AutoCAD auto load feature.
When run, the malware tries to make copies of itself in multiple locations. For example, we have seen these threats copy themselves to the following locations in AutoCAD 2013:
- %APPDATA% \Roaming\Autodesk\AutoCAD 2013 - English\R19.0\enu\Support\acad.vlx
- %ProgramFiles% \Autodesk\AutoCAD 2013\Help\logo.gif
Payload
Modifies AutoCAD system files
The malware checks for and tries to modify the following files:
- acad.mnl
- acetauto.lsp
- ai_utils.lsp
It inserts a single line of AutoLISP code to make a copy the file logo.gif as acad.vlx. This file restores acad.vlx if it is deleted.
Analysis by Ray Roberts
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
%APPDATA%\Roaming\Autodesk\AutoCAD 2013 - English\R19.0\enu\Support\acad.vlx
%ProgramFiles%\Autodesk\AutoCAD 2013\Help\logo.gifLast update 24 October 2014