We have received support requests from customers who are suddenly experiencing crashes in AutoCAD when running the EATTEDIT (Enhanced Attribute Editor) command. Initially, the problem seemed to coincide with Microsoft Windows updates but we couldn't narrow it down to any particular DLL that might have changed that would be causing the issue.
After deeper investigation by the AutoCAD development team, the source of the problem was tracked down to a virus that is a variation on the Backdoor.Coreflood Trojan horse. The Trojan creates uniquely named files for each infected system and masquerades as legitimate Windows DLLs by naming itself with the extension, D - capital I - L, which looks like a standard DLL extension when displayed in lowercase. Along with the .DIL file, it also creates a .DAT file with the same name. The Trojan hooks parts of the Win32 API and crashes. This has been logged with Symantec who has confirmed that it is a variation on the Backdoor.Coreflood Trojan that has been around for years. Symantec will be updating their virus definition files to include detection of this variation.
If you are experiencing this particular problem, search the C:\Windows\System32 directory for any files with a .DIL extension. Renaming or deleting those files has solved the crashing problem for all of our affected customers. Backdoor.Coreflood creates random clsids to restore itself if removed so the best long-term solution will be to log the issue with your Anti-Virus provider and then load and run with the latest virus definitions, when available, to avoid having the Trojan return.
Comments