AutoCAD worm sends drawings to China

Thousands of drawings were sent via email from a large project in Peru before the attack was identified and stopped.

Internet security firm ESET recently detected a spike in activity from a known AutoCAD worm. ACAD/Medre.A was found to be sending thousands of drawings from a large project in Peru. The security holes which allowed the worm to operate have been closed, but the threat remains that other projects could be compromised.

ESET says the original infection was traced to an AutoCAD template originally sent to public agencies in Peru. The worm can infect AutoCAD version from 14.0 to 19.2. Written in AutoLISP, ACAD/Medre.A modifies the startup file for AutoLISP and then reconfigures in order to open the host email account and send drawings to specific Chinese accounts.

According to ESET, “we can derive the scale of the attack and conclude that tens of thousands of AutoCAD drawings leaked.” ESET contacted Autodesk and Tencent, the owner of the Internet domain on the receiving end of the worm’s emails, and the three coordinated their efforts to stop the attack. ESET also reached out to CVERC, the Chinese National Computer Virus Emergency Response Center, which also responded quickly.

ESET has published a free white paper describing the incident, and has released a free stand-alone cleaner available, in cooperation with Autodesk.  The utility can be found here.