Friday, June 22, 2012

ACAD/Medre.A Malware – An AutoCAD Based Virus that may be stealing your files and email contacts!


Dealing with computer viruses is a pain.  Windows users have been doing this for a while and recently many Mac computers were infected as well.  It seems that nobody is safe anymore, or at least everybody should be weary and prepared.  The same is true for AutoCAD users as recent headlines would show.  The malware “virus” known as ACAD/Medre.A has made an impact in the country of Peru in the past few months according to ESET’s Threat Blog.

ESET (an IT security company headquartered in Bratislava, Slovakia with branch offices in San Diego, U.S.A.; Wexford, Ireland; London, United Kingdom; Buenos Aires, Argentina; Prague, Czech Republic; Singapore and Kraków, Poland and was founded in 1992) shared the news on their Threat Blog and discussed the threat and what it was doing.


ACAD/Medre.A is essentially a worm embedded in an AutoCAD file that sends copies of your open AutoCAD files to one of several different email address, most (if not all) of which are using Chinese ISPs.  It isn’t malicious, or damaging your software or hardware.  This is actually a case of Industrial Espionage. It is stealing your AutoCAD files!  It does this by modifying the native start-up file acad.lsp by being named as the auto-load file acad.fas.  It uses Visual Basic Scripts to do this that are in the AutoCAD file.  Once ACAD/Medre.A has set up the files it needs to it begins to send out your data by accessing smtp.163.com and smtp.qq.com using different accounts from their respective Chinese based internet providers.  ESET advises that your IT department make certain that port 25 closed up in the companies firewall.  ACAD/Medre.A creates a password protected RAR file that contains the open drawings, the acad.fas file and a .dxf file.  The password that is used is one character, “1”.  The .DXF file has the information needed in it that recipient needs to load the stolen files into the proper system with the proper language.  For a technical details of ACAD/Medre.A refer to Robert Lipovsky’s blog post and the description in ESET’s Threat Encyclopedia.

There is code in ACAD/Medre.A that looks to see if either Outlook versions 11.0, 12.0 or 13.0 are present.  It also looks for Foxmail.  It Outlook is there the worm attempts to send a PST file from the computer.  These files contain email, calenders, contacts, and more.  If Foxmail is there the code is set up to send the Foxmail address book and the Foxmail Send Folder.  But according to ESET there is an error in the code that prevents this from happening.

ESET has made a free stand alone cleaner program to rid your computer of this worm.  You can download it here:

http://download.eset.com/special/EACADMedreCleaner.exe

ESET worked with Autodesk, Tencent and CVERC (ISP’s and Government agencies in China) to develop the remover and to diagnose the issue.  They have published a whitepaper on it here:

http://www.eset.com/fileadmin/Images/US/Docs/Business/white_Papers/ESET_ACAD_Medre_A_whitepaper.pdf

Here is ESET’s Threat Encycopdeia page on ACAD/Medre.A:

http://www.eset.eu/encyclopaedia/acad-medre-a-worm-alisp-blemfox-trojan-bursted-w-als

How did ESET detect his and where is the worm?  ESET noticed a spike in their monitoring systems in the country of Peru, where most of this has been taking place and began tracking it down.  It seems that a template file distributed in Peru was infected.  From there it went out to many different companies all of which were doing business with the initial entity.  The worm isn't isolated to Peru though.  ESET’s information shows that it is widespread throughout Latin America and somewhat in North America as well.

Autodesk has put together an ACAD/Medre.A FAQ page here:

http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=19860569&linkID=9240617

This page discuses the malware bug, how it works, alternate names for it and how to determine if your system has it.  Autodesk claims that if your antivirus software is up to date then it should be easily detected.  Autodesk has confirmed that Microsoft, Trend Micro, McAfee, Symantec, Avira, and Kaspersky antivirus solutions can clean this malware.  Autodesk also says that the ESET stand-alone cleaner can clean this malware.  Autodesk recommends using up-to-date virus definitions (as do I) and follow these best practices:

  • Do not open archive files (i.e. zip) from unknown users. 
  • Do not run an unknown AutoLISP file without inspecting it first.

Autodesk also has a knowledge base website where they outline additional best practices to use with Autodesk software.

http://usa.autodesk.com/getdoc/id=TS1103867

No comments:

Post a Comment

Categories

AutoDesk (110) autocad (109) AutoCAD 2009 (40) augi (40) efficient (38) news (37) drafting (33) training (33) articles (30) CADaBlog (29) AutoCAD WS (23) Update (23) quick tip (22) video (21) mobile (19) review (19) cad (16) 3D Mouse (15) 3Dconnexion (15) Impression (15) Android (14) AutoCAD 2013 (14) cadalyst (14) me (14) AutoCAD 2010 (13) text (13) off topic (12) survey (12) Apps (11) hotfix (11) tips (11) 3D (10) AU (10) AutoCAD 2011 (10) service pack (10) workstation (10) Autodesk Labs (9) CAD Manager (9) annotation (9) blocks (9) cloud (9) fun (9) inventor (9) HP (8) Review-Product (8) autocad lt (8) videos (8) AutoCAD 2014 (7) Autodesk 360 (7) CUI (7) Windows 8 (7) iOS (7) new (7) IMSI Design (6) cad standards (6) files (6) google (6) infinite skills (6) printers (6) reference (6) ribbon (6) support (6) updates (6) workaround (6) RSS (5) TurboViewer (5) Upgrade (5) data (5) email (5) fields (5) guest post (5) keyboard (5) layers (5) paper space (5) pi (5) pi day (5) quotes (5) rant (5) selection (5) standards (5) styles (5) subscription (5) tech (5) 2D (4) AutoCAD Exchange (4) AutoCAD for Mac (4) Mac (4) Mastering AutoCAD (4) SketchBook (4) TurboCAD (4) UI (4) action recorder (4) dimension (4) driver (4) fills (4) large format printing (4) leaders (4) math (4) mobile workstation (4) salary (4) sheet sets (4) Amazon (3) Apple (3) AutoCAD 2012 (3) AutoCAD 2015 (3) AutoCAD 360 (3) AutoCAD Fundamentals (3) Civil 3D (3) DVD (3) DWF (3) Fusion (3) GIS (3) Kindle Fire (3) Lenovo (3) Microsoft (3) Review-Software (3) Wiley (3) Windows Phone 8 (3) Windows RT (3) annimation (3) announcements (3) autodesk plm (3) book (3) command alias (3) contest (3) filters (3) find (3) hardware (3) history (3) iPad (3) license (3) license software (3) lisp (3) menu browser (3) properties (3) purge (3) quick view (3) saas (3) tables (3) toolbars (3) weekend rant (3) what not to CAD (3) what not to do (3) #CADaBlogDVD2013 (2) 3D Modeling (2) 3ds Max (2) AutoCAD LT 2013 (2) AutoCAD LT for Mac (2) AutoCAD MAC (2) Autodesk. (2) BIM (2) CAD Services (2) CADSpeed (2) DWG (2) DXF (2) Designjet (2) Error (2) FAIL (2) Facecast (2) Freestyle (2) Fusion for Mac (2) George Omura (2) Mac OS (2) Mountain Lion (2) Novedge (2) Recomend (2) Review-Book (2) Revit LT (2) SpaceMouse Pro (2) Sybex (2) Tablet (2) Thinkstation (2) TurboReview (2) TurboViewer X (2) What Not To Do In AutoCAD (2) What's New (2) Windows (2) array (2) as-builts (2) beta (2) blog (2) circles (2) civil (2) civil design (2) collaboration (2) color (2) command line (2) commands (2) computer (2) copy (2) design (2) design review (2) dim style (2) download (2) eBook (2) eTransmit (2) file naming (2) free (2) geek stuff (2) grid (2) hotnews (2) interview (2) jobs (2) knowledge base (2) limits (2) look back (2) mouse (2) pallets (2) pgp (2) plotting (2) posts (2) press release (2) pricing (2) purchase (2) redlines (2) reference files (2) rental plans (2) shortcuts (2) sketchup (2) status bar (2) technology preview (2) tool pallet (2) tooltips (2) tv (2) units (2) video editing (2) viewer (2) webinar (2) 123D (1) 123D Catch (1) 123D Create (1) 123D Make (1) 2014 (1) 2015 (1) 3d Printing (1) ACAD/Medre.A (1) ADR (1) AEC (1) AUGI World (1) Account (1) Adobe (1) Apps Tab (1) AutoCAD 2016 (1) AutoCAD Error (1) AutoCAD LT 2012 (1) AutoCAD LT 2014 (1) AutoCAD LT 2015 (1) AutoCAD Mechanical (1) AutoCAD Revit Suite (1) Autodesk Account (1) Autodesk BIM 360 (1) Autodesk Instant (1) Autodesk PLM 360 (1) Autodesk ReCap (1) Award (1) CADDork (1) CADO (1) CTB (1) CadMouse (1) Camtasia (1) Communication Center (1) Corel (1) DWFx (1) Dassault Systemes (1) Death Star (1) Dell (1) Design Feed (1) Design Suites (1) DesignCAD (1) DoubleCAD (1) Duratec (1) E32 (1) ESET (1) ESRI (1) EliteBook (1) Epson (1) Evernote (1) Exchange Apps (1) FTP (1) ForceEffect (1) Free Form (1) Fusion 360 (1) GIS Day (1) GeoViewer (1) Geographic Information Systems (1) Geographic Location (1) Google Chromebook Pixel (1) Google Earth (1) Google Earth Pro (1) HP Designjet T2300 eMFP (1) HP EliteBook (1) HP EliteBook 8570w (1) HP Z1 (1) Help (1) Homestyler (1) IT (1) Infocenter (1) Inforbix (1) InfraWorks (1) InfraWorks 360 Pro (1) Infrastructure Modeler (1) Instant (1) Inventor 2013 (1) Inventor 2013 SP1 (1) Inventor LT (1) JPEG 2000 (1) Kickstarter (1) Kindle (1) Language packs (1) Lawsuit (1) Lenovo Thinkstation E32 (1) LizardTech (1) MS Exchange (1) Map 3D (1) Maya (1) MrSID (1) OS (1) OS X (1) Office Suite (1) Orange Juice Studios (1) P-Series (1) PLM (1) Photoshop (1) Pixel (1) Pixlr (1) Pixlr Express (1) Pixlr-o-matic (1) Plant (1) PogoPlug (1) Point Cloud (1) Previous (1) Project Artoo (1) Project Geppetto (1) Project Snap (1) R&D (1) Red Dot Award (1) Review-Service (1) Revit (1) Revit LT 2013 (1) Rhino (1) SDK (1) SMS (1) Secureload (1) Socialcam (1) Softimage (1) Solid Edge (1) SolidWorks (1) SpaceMouse Wireless (1) SpaceNavigator (1) Star Wars (1) SureColor (1) T-Series (1) TechSmith (1) The Future (1) Thinkstation E32 (1) Touch Screen (1) Trimble (1) TurboSite (1) TurboSite Reader (1) TurboViewer Pro (1) Unreconciled Layers (1) VBA (1) VOIP (1) Vault (1) Vault 2012 (1) Vela Systems (1) Visualization (1) WebOS (1) Welcome Screen (1) Windows Vista (1) Windows XP (1) Z1 (1) acad.doc (1) acad.lsp (1) acaddoc.lsp (1) acquisition (1) advice (1) aerial (1) all-in-one (1) angles (1) archive (1) arcs (1) author (1) autocad 2012. autocad lt 2012 (1) autocad. autocad for mac (1) autodesk logo (1) background (1) break (1) burrito (1) business (1) celebrate (1) check (1) checklist (1) chrome (1) chrome os (1) chromebook (1) climate (1) coming soon (1) communicate (1) constraints (1) construction (1) copier (1) crowd funding (1) customize (1) deadlines (1) design process (1) designer (1) desktop subscription (1) different language (1) draftsight (1) eMFP (1) ePrint (1) employee (1) employer (1) engineer (1) environment (1) event (1) feeds (1) file sharing (1) filepath (1) fix it (1) folders (1) font (1) government fail (1) groups (1) guide (1) hatching (1) imagery (1) initial setup (1) input (1) install (1) intel (1) internet (1) investment (1) isometrics (1) labels (1) layer manager (1) linetype (1) livestream (1) logo (1) macro (1) malware (1) message (1) mice (1) model space (1) modeling (1) multi leaders (1) navigation (1) newsletter (1) notifications (1) offset (1) opinion (1) options (1) overrides status bar (1) parametrics (1) patches (1) pay-as-you-go (1) perpetual license (1) podcast (1) poll (1) polyline (1) prank (1) printer failure (1) printers color (1) project draw (1) project files (1) project workflow (1) questions (1) recommend (1) release (1) remove (1) rent (1) repair (1) resume (1) reverse line direction (1) right click (1) save (1) scale (1) scanner (1) screen capture (1) sea turtles (1) send files (1) settings (1) snap (1) software (1) solutions (1) sony (1) student (1) subscription center (1) sustainability (1) system variables (1) tabs (1) tech snob (1) transparency (1) trial (1) undo (1) uninstall (1) viewports (1) virus (1) webcast (1) wiki (1) workplace (1)