ACAD/Medre.A – 10000′s Of AutoCAD Files Leaked in Suspected Industrial Espionage
An AutoCAD worm, written in AutoLISP, the scripting language that AutoCAD uses, suddenly showed a big spike in one country on ESET’s LiveGrid® two months ago, and this country is Peru.
The main motive of the malware is to steal AutoCAD drawings from the infected system. These are sent to the attacker via email. Apart from the stolen drawings, some additional information is also sent.
ACAD/Medre.A is a serious example of suspected industrial espionage. Every new design created by a victim is sent automatically to the authors of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals will have designs before they even go into production by the original designer. The attacker may even go so far as to get patents on the product before the inventor has registered it at the patent office. The inventor may not know of the security breach until his patent claim is denied due to prior art.
You can download the ACAD/Medre.A removal tool here.
The sample is able to infect versions 14.0 to 19.2 of AutoCAD by modifying the corresponding native startup file of AutoLISP (acad.lsp) by being named as the auto-load file acad.fas. It employs Visual Basic Scripts that are executed using the Wscript.exe interpreter that is integrated in the Windows operating system since Windows 2000. The author assumes that his code will even work for future versions of AutoCAD as it has support for the AutoCAD versions that will be released in 2013, 2014 and 2015.
The Autodesk Knowledge Base article TS19860569 says:
What is the nature of the malware?
ACAD/Medre.A is an AutoLISP program disguised as an acad.fas file. When a user opens a DWG from a folder containing this file, the malware sends a copy of the DWG via an email (using SMTP protocol). For additional information on an AutoLISP based malware, visit: AutoCAD and Viruses.
ACAD/Medre.A is also known as: ALisp/Blemfox.A (Microsoft), Trojan.Acad.Bursted.W (BitDefender), ALS.Bursted.B (Symantec).
Which Autodesk products may be affected?
The malware targets AutoCAD releases 2000 and newer, and other products based on AutoCAD. AutoCAD LT, AutoCAD for Mac and other Autodesk products are not affected.
How can I know if my system is infected?
The malware is easily detectable by major antivirus solutions with up-to-date virus definitions. We recommend users perform a full virus scan to see if their system is infected by this malware.
There are alternative methods of detecting possible infections by this malware:
- acad.fas or cad.fas files on your system may indicate the presence of this malware. You can search for these files in Windows Explorer. Since these files could be hidden, you may need to show hidden files using the following Microsoft solution:Show Hidden Files.
- Search for the acad.fas from the AutoCAD command line by typing (findfile "acad.fas"), including parenthesis.
If the search finds a match, compare an MD5 or SHA-1 cryptographic hash of the discovered acad.file with - md5: 7b563740f41e495a68b70cbb22980b20; SHA1: 3ea33bedadc9bfc92c570b316b78b6fd9787f09. If MD5 or SHA-1 hash values match, your system is infected. For more information on how to compute an MD5 or SHA-1, see: How to compute the MD5 or SHA-1 cryptographic hash values for a file.
How can I remediate the infection?
This malware can be remediated through leading commercial antivirus solutions. Autodesk has confirmed that Microsoft, Trend Micro, McAfee, Symantec, and Kaspersky antivirus solutions can clean this malware. We have also verified that ESET’s ACAD/Medre.A stand-alone cleaner can clean this malware. We will update this FAQ as we test additional antivirus solutions.
What best practices can I follow to reduce my chances of being infected?
We recommend users protect their systems through use of an antivirus solution with up-to-date virus definitions. In addition, the following best practices can reduce the chance of an infection:
- Do not open archive files (i.e. zip) from unknown users.
- Do not run an unknown AutoLISP file without inspecting it first.
- The following Autodesk knowledge base article also provides additional best practices:
AutoCAD and Viruses