AutoCAD Worm Uncovered
ACAD/Medre.A Worm nabs design files, e-mails them to China.
Computer security software firm, ESET, announced that it has discovered a worm — ACAD/Medre.A — that targets drawings created in AutoCAD. Recently, the company’s cloud-based malware collection system confirmed that tens of thousands of AutoCAD drawings, primarily from users in Peru, were leaked to e-mail accounts in China.
A posting on the company’s blog reports that the worm is written in AutoLISP and spreads via infected AutoCAD templates. Designed to infect AutoCAD versions 2000 (14.0) through 2015 (19.2), ACAD/Medre.A then calls VisualBasic scripts to collect any drawing files opened on the affected machine and create encrypted compression files.
“After some configuration, ACAD/Medre.A sends opened AutoCAD drawings by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider,” says ESET Senior Research Fellow Righard Zwienenberg.
According ESET, the trojan, although effective, doesn’t seem to be part of a directed attack and is primarily limited to Peru and other nearby South American countries. Since the discovery, the company has worked with Chinese National Computer Virus Emergency Response Center and ISPs to block the worm author’s e-mail accounts. ESET also worked with Autodesk to create a free stand-alone cleaner.