Published 22 June 2012
Posted by Martyn Day
A virus that seems to target AutoCAD DWGs and send them to digital pirates, via China has already stolen tens of thousands of blueprints
Named ACAD/Medre.A, it secretly sends DWGs to Chinese email accounts located at 163.com and qq.com.
The source of the original infection was traced to a drawing template that was initially sent to public bodies in Peru. While nobody knows how long it’s really been out there, ESET security software developers saw a spike in infections two months ago.
It is suspected that a company in Peru initiated a project and distributed an infected template to all project participants, infected their whole design ecosystem. Then the pirates activated the virus which sent the drawings.
The sample ESET tested was able to infect versions 14.0 to 19.2 of AutoCAD by modifying the corresponding native startup file of AutoLISP (acad.lsp) by being named as the auto-load file acad.fas.
It employs Visual Basic Scripts that are executed using the Wscript.exe interpreter that is integrated in the Windows operating system since Windows 2000. The author assumes that his code will even work for future versions of AutoCAD as it has support for the AutoCAD versions that will be released in 2013, 2014 and 2015.
After some configuration, ACAD/Medre.A will begin sending the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider.
It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider. ESET advises that it is ill advised to have port 25 outgoing allowed other than to your own ISP.
This is not the first AutoCAD related virus, there have been several others, using AutoLISP and VBA. In the past Autodesk has included an option to warn you when opening a drawing or project file that includes embedded macros. From that warning dialog box, you can disable the macros before they are able to execute.
If this dialog display becomes disabled, it can be turned back on by running the VBARUN command, choosing the Options button, and checking “Enable macro virus protection.” ACAD/Medre.A is written in AutoLISP but its main functions are carried out by Visual Basic Scripts.