Worm:ALisp/Kenilfe.C is a detection for a worm written in Autocad Lisp, which is distributed as a Autocad FAS file, 15,565 bytes in size.
Installation
When run, the worm makes a copy of itself in the following location:
where <INSTALLDIR> is the installation location for Autocad.
Worm:ALisp/Kenilfe.C also copies itself to the following location:
The worm also stores configuration information in the following registry location:
- HKCU\Software\FileKen\settings
Spreads via...
Remote shares
The worm searches for Autocad installations and copies itself to the install locations which may be local or remote.
Removeable drives
The worm enumerates all drives, checking for removable drives. If found, the worm checks for Autocad related files. If found, it then copies itself to the same location as the Autocad file, as acad.fas, and creates an infection marker file on the root drive named pagefile, to prevent duplicate copies of the worm file being created.
Payload
Downloads and executes arbitrary files
The worm runs the ping command on the following host:
updatebd.8800.org
Then, depending on the IP address returned, it can download and execute a different file from the following domain:
cadgs.com
Deletes files
The worm checks for the following files and deletes them if found:
- isohztxt.shx
- acad.fas1
- logo.gif
- isomianyi.shx
These files may be associated with other malware.
Rename files
The worm may check for and if found, rename the following files by appending _bak to them:
- acad.vlx
- acad.sys
- lcm.fas
- acadsmu.fas
- acadapq.lsp
- acadappp.lsp
- acadapp.lsp
- acad.lsp
- dwgrun.bat
- winfas.ini
- acadiso.lsp
- isohztxt.shx
Modifies system settings
The worm may change the following registry entries to enable execution of scripts:
- HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
- HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
Analysis by Ray Roberts
