ACAD/Medre.A

By LoneStar in Worms

ACAD/Medre.A is a worm that is highly effective at what ACAD/Medre.A does: steal AutoCAD drawings. AutoCAD is a program that is essential for engineers and architects and is widely used to draw blueprints and other important documents. The ACAD/Medre.A worm has a very specific line of attack and is designed to steal these often highly-sensitive files. The ACAD/Medre.A worm can also be harmful for computer users with no relationship to AutoCAD since ACAD/Medre.A also has the ability to steal email information. Basically, the ACAD/Medre.A worm has a virus-like capability to infect AutoCAD files in order to spread itself from one computer to another (ensuring that its victims will have some relationship with AutoCAD). ESG security researchers strongly advise to be on the alert for attacks similar to the ACAD/Medre.A worm if you use AutoCAD. Although this is certainly a very specific niche, it can be highly profitable for criminals due to its potential for industrial espionage.

Table of Contents

ACAD/Medre.A Disguises Itself as an AutoCAD File in Order to Steal Data

The ACAD/Medre.A worm and similar malware have been associated with state-sponsored malware attacks and high-level malware creators interested in industrial sabotage and espionage. The ACAD/Medre.A worm can target AutoCAD 2000 through 2015. Basically, ACAD/Medre.A can corrupt existing AutoCAD files as well as creating malicious files that are disguised to resemble legitimate AutoCAD files. When a file corrupted by ACAD/Medre.A is opened, it will launch the ACAD/Medre.A's malicious executable and allow it infect other AutoCAD files on the infected machine. Unfortunately, since the ACAD/Medre.A worm is mainly used to steal sensitive data, ACAD/Medre.A will rarely, if ever, display explicit symptoms of an infection.

ACAD/Medre.A’s Main Lines of Attack

The ACAD/Medre.A worm is very good at what ACAD/Medre.A does and can rapidly spread throughout a computer system or network. Basically, ACAD/Medre.A carries out its attack using the following tactics:

ACAD/Medre.A will detect all AutoCAD files with the DWG extension and then transmit these to a remote server via email.
The ACAD/Medre.A worm can also steal email information on Outlook or Thunderbird in order to carry out future attacks.
The ACAD/Medre.A worm also has a sophisticated component that creates a RAR archive. This archive will include the stolen files' metadata and the ACAD/Medre.A worm's own code.

Most of the time, the initial ACAD/Medre.A infection will come from a malicious email attachment. Because of this, ESG security researchers strongly advise scanning all AutoCAD files received via email with an updated anti-malware program before they can infiltrate your computer system. While people that do not use AutoCAD will not be affected greatly by ACAD/Medre.A, industry professionals that rely on this program should consider ACAD/Medre.A a significant threat.

SpyHunter Detects & Remove ACAD/Medre.A

File System Details

ACAD/Medre.A may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	%CurrentWorkingDirectoryofdwg%\cad.fas
Name: %CurrentWorkingDirectoryofdwg%\cad.fas Group: Malware file
2.	%AutoCADSupportDirectory%\cad.fas
Name: %AutoCADSupportDirectory%\cad.fas Group: Malware file
3.	%CurrentWorkingDirectoryofdwg%\acad.fas
Name: %CurrentWorkingDirectoryofdwg%\acad.fas Group: Malware file
4.	%AutoCADSupportDirectory%\acad.fas
Name: %AutoCADSupportDirectory%\acad.fas Group: Malware file
5.	%WinDir%\System32\Acad.fas
Name: %WinDir%\System32\Acad.fas Group: Malware file
6.	%WinDir%\Acad.fas
Name: %WinDir%\Acad.fas Group: Malware file
7.	%AutoCADInstallationFolder%\Support\acad20*.lsp
Name: %AutoCADInstallationFolder%\Support\acad20*.lsp Group: Malware file
8.	file.exe	916744d1e7064a5522092f310a7c4ab0	0
Name: file.exe MD5: 916744d1e7064a5522092f310a7c4ab0 Size: 22.05 KB (22052 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: June 28, 2012
9.	file.exe	25c7e10bb537b4265f6144f2cd7f6d95	0
Name: file.exe MD5: 25c7e10bb537b4265f6144f2cd7f6d95 Size: 22.6 KB (22602 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: June 28, 2012
10.	file.exe	ea04c29bc814af6d96157c1113b3806d	0
Name: file.exe MD5: ea04c29bc814af6d96157c1113b3806d Size: 22.1 KB (22105 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: June 28, 2012
11.	file.exe	73dd85951ea154fbb40c26cd259ee0b7	0
Name: file.exe MD5: 73dd85951ea154fbb40c26cd259ee0b7 Size: 12.33 KB (12334 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: June 28, 2012
12.	file.exe	7b563740f41e495a68b70cbb22980b20	0
Name: file.exe MD5: 7b563740f41e495a68b70cbb22980b20 Size: 12.33 KB (12334 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: June 28, 2012

Registry Details

ACAD/Medre.A may create the following registry entry or registry entries:

HKEY..\..\..\..{RegistryKeys}

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Catalog]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting] "FILE-H" = "T" "FILE" = "%variable1%" "FILE-G" = "%variable2%" "Time" = "%variable3%"

[HKEY_CURRENT_USER\Software\Aerofox\Foxmail] "Executable"

[HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Catalog]

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Catalog]

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

ACAD/Medre.A

ACAD/Medre.A Disguises Itself as an AutoCAD File in Order to Steal Data

ACAD/Medre.A’s Main Lines of Attack

SpyHunter Detects & Remove ACAD/Medre.A

File System Details

Registry Details

Submit Comment

Trending

Rzfu Ransomware

'YouPorn' Email Scam

Rzkd Ransomware

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen