from link
The Dangers of the ACADDOC.lsp
When opening a drawing, AutoCAD will search the Working Directory (that is, the directory in which the active drawing resides), and all Support Paths (those listed in the Files tab of the Options dialog) for a file with the filename ACADDOC.lsp.
When such a file is found, AutoCAD will cease searching and will proceed to load the ACADDOC.lsp file into the active drawing namespace.
The act of loading a LISP file simply means that the contents of the file are read and any LISP expressions found therein are evaluated by the LISP interpreter.
In this way, most users will utilise the ACADDOC.lsp to automatically load custom programs when a drawing is opened, so that such programs are available during the drawing session. This is a more reliable and migratable method than using the Startup Suite for the same purpose.
However, with the knowledge that AutoCAD will search the Working Directory before any other path, it becomes very simple to include malicious code within an ACADDOC.lsp file sent with a drawing, so that, when the drawing is opened by an unsuspecting user, theACADDOC.lsp file will be automatically loaded and the malicious code will be evaluated.
Such code could perform any number of operations: AutoLISP can very easily modify the registry, deleting or writing new registry keys; delete files from the system (bypassing the recycle bin), or writing new files to the system.
Most commonly included within this malicious code is the simple operation for the ACADDOC.lsp to copy itself to various (often hidden) locations on the user's system, complete with all malicious code, so that the file can continue to wreak havoc even after the user has deleted the original file.
Similar Autoloading Files
The ACADDOC.lsp is not the only file that is automatically sought and loaded into the drawing.
When the AutoCAD application is opened, a number of files are automatically loaded and others are reloaded again when every drawing is opened thereafter.
Most of these files are part of the application itself and hence should not be modified, others however are reserved for user customisation and can be modified and created if they don't already exist.
Below is the loading order of the various files that are automatically loaded into AutoCAD, with a brief description about each item:
acad.rx
This file loads various ObjectARX applications when AutoCAD is started
acad20##.lsp
This file loads the acad20##doc.lsp file in versions which do not load such file automatically. This file should not be modified.
acad.lsp
The loading of this file is dependent on the setting of the ACADLSPASDOC System Variable:
ACADLSPASDOC = 0(default)
Loads acad.lsp into just the first drawing opened in an AutoCAD session, and will not load for each subsequently opened drawing.
ACADLSPASDOC = 1
Loads acad.lsp into every drawing opened.
This file is reserved for user customisation and is intended to be used for application-specific startup routines, as all functions and variables defined in an acad.lsp file are only available in the first drawing.
If functions are required in all drawings, rather than altering the value of ACADLSPASDOC, functions & programs should be moved from the acad.lsp file into the acaddoc.lsp file.
acad20##doc.lsp
This file is automatically loaded every time a drawing is opened and loads the autoload function definiton and other utility functions required by AutoCAD. This file should not be modified.
acaddoc.lsp
As described above, if found, this file is automatically loaded into every drawing opened in the AutoCAD session. This file is useful for loading a library of AutoLISP functions to be available every time a drawing is opened.
The acaddoc.lsp file is always loaded with each drawing regardless of the settings of the ACADLSPASDOC System Variable.
Since AutoCAD will search the working directory before the Support Paths and will load the first acaddoc.lsp file found, users can have a different acaddoc.lsp file in each drawing directory, which would load specific AutoLISP routines for certain types of drawings or jobs.
acad.dvb
This file will automatically load VBA projects for versions in which VBA is enabled.
Main CUI/CUIX and related files
A CUIx file contains multiple XML based files and image files, each of which contains the data for a user interface element that can be customised. CUIx files replace the CUI, MNU, MNS, and MNC files that were used to define menus in previouse releases.
The Main CUIx file defines the majority of interface elements in AutoCAD.
Enterprise CUI/CUIX and related files
The Enterprise CUIx file is typically controlled by a CAD manager and accessed by many users, usually from a shared network location.
This file is read-only to users to prevent the data in the file from being changed. A CAD manager would create an enterprise CUIx file by modifying a Main CUIx file and then saving the file to a shared network location.
See here for information on how to create this file.
acetmain.mnl
This file loads the Express Tools menugroups.
Express Tools LISP & MNL files
The various LISP and Menu files required by the Express Tools programs are loaded here.
Startup Suite programs
Programs files residing in the Startup Suite are now loaded, in the order they appear in the AppLoad dialog.
The Startup Suite is known to be temperamental in some versions of AutoCAD, so I would recommend using the acaddoc.lsp for loading functions and programs required during the drawing session.
(S::STARTUP)
This post-initialisation function can be utilised to perform operations after the drawing has initialised in the drawing editor.
Since the acad.lsp and acaddoc.lsp files are loaded early in the drawing initialisation procedure, commands issued at run-time from these files may be unsuccessful as the command-line may not be initialised in the drawing.
acad.exe command line switch /b
The command-line switch /b can be used to run a Script when the AutoCAD application is launched. Any Script operations called in this way will be executed after drawing initialisation has completed.
Command-line switches can be set from within the properties of the AutoCAD application shortcut icon, within the Target edit box.
For a more detailed description of command-line switches, see here.
Removing AutoCAD 'Viruses'
AutoCAD 'viruses' mostly occur in the form of a hijacking of the ACADDOC.lsp file, causing this file to change users' settings, potentially corrupting the users' system and causing irrevocable damage, and most commonly multiplying this file to spread across the users' file system.
However, should the CAD environment be successfully reset, this file can only continue to cause harm if it can be found by AutoCAD and loaded into a drawing, resulting in the malicious code being evaluated and file replication to occur once again.
Hence, the solution to removing the 'virus' is to simply remove all instances of the malicious ACADDOC.lsp file from the system so that it can no longer replicate itself or alter the system in any way.
To check whether all instances of this file have been removed, simply type at the AutoCAD command line:
Code:
(findfile "ACADDOC.lsp")
If the above returns a valid filepath, navigate to the filepath and remove the file, then re-type the above expression to test for the existence of any other ACADDOC.lsp files.
This process could also be automated using a LISP program:
Code:
(defun c:delacaddoc ( / file ) (while (setq file (findfile "ACADDOC.lsp")) (if (vl-file-delete file) (princ (strcat "\nDeleted file: " file)) (princ (strcat "\nUnable to delete file: " file)) ) ) (princ) )
The above program will delete all ACADDOC.lsp files found in either the current Working Directory or all AutoCAD Support Paths.
However, be aware that due to the autoloading nature of the acad.lsp, acad20##.lsp & acad20##doc.lsp, these files also have the potential to contain malicious code and should be monitored.
Other AutoCAD 'Viruses'
AutoCAD 'viruses' can use files other than those noted above to infect users' systems.
A well-known AutoCAD 'virus' is permeated via a file named: acad.vlx
The naming of such file intentionally misleads users into thinking that this file is part of the program files for the application and hence should not be deleted, however, this file can cause considerable damage to a users' system if not removed.
For more information about the acad.vlx virus, and how to remove it, see here.