ACAD/Medre [Threat Name] go to Threat
ACAD/Medre.A [Threat Variant Name]
Available cleaner [Download ACAD/Medre.A Cleaner ]
| Category | worm |
| Aliases | Worm:ALisp/Blemfox.A (Microsoft) |
| Trojan.Acad.Bursted.W (BitDefender) | |
| ALS.Bursted.B (Symantec) |
Short description
ACAD/Medre.A is a worm that steals sensitive information. The worm collects AutoCAD (*.dwg) files with drawing(s). The worm attempts to send gathered information to a remote machine.
Installation
ACAD/Medre.A is a worm which infects files used by AutoCAD application.
The worm attempts to modify the following file:
- %autocadinstallationfolder%\Support\acad20*.lsp
The worm writes the following entries to the file:
- (if (findfile “cad.fas”)(load “cad.fas”))
The performed data entry ensures launching/interpretation of commands stored in the following files:
- cad.fas
This results in the execution of the malware, which can then infect other AutoCAD files.
The worm may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting]
- “FILE-H” = "T"
- “FILE” = "%variable1%"
- “FILE-G” = "%variable2%"
- “Time” = "%variable3%"
A string with variable content is used instead of %variable1-3% .
Spreading
The worm creates the following files:
- %windir%\System32\Acad.fas
- %windir%\Acad.fas
- %currentworkingdirectoryofdwg%\cad.fas
- %currentworkingdirectoryofdwg%\acad.fas
- %autocadsupportdirectory%\cad.fas
- %autocadsupportdirectory%\acad.fas
- %windir%\System32\%chnstring%\acad.fas
%chnstring% represents a string written in the CHN language.
The files contain the program code of the infiltration.
Information stealing
The worm collects information related to the following applications:
- AutoCAD
The worm collects AutoCAD (*.dwg) files with drawing(s).
The worm attempts to send gathered information to a remote machine.
The worm sends the information via e-mail.
The worm contains a list of addresses.
Other information
Versions 2000, 2002, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 of the AutoCAD environment are affected.