Dealing with computer viruses is a pain. Windows users have been doing this for a while and recently many Mac computers were infected as well. It seems that nobody is safe anymore, or at least everybody should be weary and prepared. The same is true for AutoCAD users as recent headlines would show. The malware “virus” known as ACAD/Medre.A has made an impact in the country of Peru in the past few months according to ESET’s Threat Blog.
ESET (an IT security company headquartered in Bratislava, Slovakia with branch offices in San Diego, U.S.A.; Wexford, Ireland; London, United Kingdom; Buenos Aires, Argentina; Prague, Czech Republic; Singapore and Kraków, Poland and was founded in 1992) shared the news on their Threat Blog and discussed the threat and what it was doing.
ACAD/Medre.A is essentially a worm embedded in an AutoCAD file that sends copies of your open AutoCAD files to one of several different email address, most (if not all) of which are using Chinese ISPs. It isn’t malicious, or damaging your software or hardware. This is actually a case of Industrial Espionage. It is stealing your AutoCAD files! It does this by modifying the native start-up file acad.lsp by being named as the auto-load file acad.fas. It uses Visual Basic Scripts to do this that are in the AutoCAD file. Once ACAD/Medre.A has set up the files it needs to it begins to send out your data by accessing smtp.163.com and smtp.qq.com using different accounts from their respective Chinese based internet providers. ESET advises that your IT department make certain that port 25 closed up in the companies firewall. ACAD/Medre.A creates a password protected RAR file that contains the open drawings, the acad.fas file and a .dxf file. The password that is used is one character, “1”. The .DXF file has the information needed in it that recipient needs to load the stolen files into the proper system with the proper language. For a technical details of ACAD/Medre.A refer to Robert Lipovsky’s blog post and the description in ESET’s Threat Encyclopedia.
There is code in ACAD/Medre.A that looks to see if either Outlook versions 11.0, 12.0 or 13.0 are present. It also looks for Foxmail. It Outlook is there the worm attempts to send a PST file from the computer. These files contain email, calenders, contacts, and more. If Foxmail is there the code is set up to send the Foxmail address book and the Foxmail Send Folder. But according to ESET there is an error in the code that prevents this from happening.
ESET has made a free stand alone cleaner program to rid your computer of this worm. You can download it here:
ESET worked with Autodesk, Tencent and CVERC (ISP’s and Government agencies in China) to develop the remover and to diagnose the issue. They have published a whitepaper on it here:
Here is ESET’s Threat Encycopdeia page on ACAD/Medre.A:
How did ESET detect his and where is the worm? ESET noticed a spike in their monitoring systems in the country of Peru, where most of this has been taking place and began tracking it down. It seems that a template file distributed in Peru was infected. From there it went out to many different companies all of which were doing business with the initial entity. The worm isn't isolated to Peru though. ESET’s information shows that it is widespread throughout Latin America and somewhat in North America as well.
Autodesk has put together an ACAD/Medre.A FAQ page here:
This page discuses the malware bug, how it works, alternate names for it and how to determine if your system has it. Autodesk claims that if your antivirus software is up to date then it should be easily detected. Autodesk has confirmed that Microsoft, Trend Micro, McAfee, Symantec, Avira, and Kaspersky antivirus solutions can clean this malware. Autodesk also says that the ESET stand-alone cleaner can clean this malware. Autodesk recommends using up-to-date virus definitions (as do I) and follow these best practices:
- Do not open archive files (i.e. zip) from unknown users.
- Do not run an unknown AutoLISP file without inspecting it first.
Autodesk also has a knowledge base website where they outline additional best practices to use with Autodesk software.