Remove ACAD / Medre.A Worm From Infected Autocad Design Files

0
1305
ACAD Medre.A

ACAD Medre.AACAD / Medre.A Worm is actually a computer malware that targets drawings created in AutoCAD software for computer-aided design (CAD). ESET has been uncover there are a big spike in worldwide on ESET’s LiveGrid (a cloud-based malware collection system utilizing data from ESET users worldwide). ESET’s research indicated that this Autocad worm steals files and sends them to email accounts located in China.

What exactly is ACAD / Medre.A doing?

After some configuration, ACAD / Medre.A sends opened AutoCAD drawings by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider. It tries to do this using one of 22 accounts at 163.com and 21 accounts at qq.com, another Chinese freemail provider.

How does ACAD / Medre.A infect the system?

This ACAD / Medre.A Worm is downloaded to the Autocad user system as a hidden file named acad.fas, usually accompanying a .dwg file (AutoCAD drawing). Once this drawing is opened, AutoCAD’s automatic loading routine calls the acad.fas file – present in the same folder – thus executing the malware itself. It tries to copy itself to several locations and alters AutoCAD’s automatic loading routine to ensure that it will be executed whenever an AutoCAD drawing (.dwg) is opened on the infected system.

 In addition to this, there’s a reason why the script (even when already running on an infected system) is copied to the directory of the currently opened DWG. If the user wants to send his drawings to someone else, it is likely that he will add the whole directory into an archive and send the worm along with it.

What can ACAD / Medre.A infect?

The sample is able to infect versions 14.0 to 19.2 of AutoCAD (AutoCAD 2000 to AutoCAD 2015) by modifying the corresponding native startup file of AutoLISP (acad.lsp). The author assumes that his code will even work for future versions of AutoCAD as it has support for the AutoCAD version that will be released in 2013, 2014 and 2015.

How to resolve ACAD/Medre.A worms?

ESET has created a dedicated stand-alone cleaner, available for free at: http://download.eset.com/special/EACADMedreCleaner.exe.

More information: ESET Encyclopedia about ACAD / Medre.A Worms