ACAD/Medre.A

ACAD/Medre.A Description

ACAD/Medre.A is a worm that is highly effective at what ACAD/Medre.A does: steal AutoCAD drawings. AutoCAD is a program that is essential for engineers and architects and is widely used to draw blueprints and other important documents. The ACAD/Medre.A worm has a very specific line of attack and is designed to steal these often highly-sensitive files. The ACAD/Medre.A worm can also be harmful for computer users with no relationship to AutoCAD since ACAD/Medre.A also has the ability to steal email information. Basically, the ACAD/Medre.A worm has a virus-like capability to infect AutoCAD files in order to spread itself from one computer to another (ensuring that its victims will have some relationship with AutoCAD). ESG security researchers strongly advise to be on the alert for attacks similar to the ACAD/Medre.A worm if you use AutoCAD. Although this is certainly a very specific niche, it can be highly profitable for criminals due to its potential for industrial espionage.

ACAD/Medre.A Disguises Itself as an AutoCAD File in Order to Steal Data

The ACAD/Medre.A worm and similar malware have been associated with state-sponsored malware attacks and high-level malware creators interested in industrial sabotage and espionage. The ACAD/Medre.A worm can target AutoCAD 2000 through 2015. Basically, ACAD/Medre.A can corrupt existing AutoCAD files as well as creating malicious files that are disguised to resemble legitimate AutoCAD files. When a file corrupted by ACAD/Medre.A is opened, it will launch the ACAD/Medre.A's malicious executable and allow it infect other AutoCAD files on the infected machine. Unfortunately, since the ACAD/Medre.A worm is mainly used to steal sensitive data, ACAD/Medre.A will rarely, if ever, display explicit symptoms of an infection.

ACAD/Medre.A's Main Lines of Attack

The ACAD/Medre.A worm is very good at what ACAD/Medre.A does and can rapidly spread throughout a computer system or network. Basically, ACAD/Medre.A carries out its attack using the following tactics:

  • ACAD/Medre.A will detect all AutoCAD files with the DWG extension and then transmit these to a remote server via email.
  • The ACAD/Medre.A worm can also steal email information on Outlook or Thunderbird in order to carry out future attacks.
  • The ACAD/Medre.A worm also has a sophisticated component that creates a RAR archive. This archive will include the stolen files' metadata and the ACAD/Medre.A worm's own code.

Most of the time, the initial ACAD/Medre.A infection will come from a malicious email attachment. Because of this, ESG security researchers strongly advise scanning all AutoCAD files received via email with an updated anti-malware program before they can infiltrate your computer system. While people that do not use AutoCAD will not be affected greatly by ACAD/Medre.A, industry professionals that rely on this program should consider ACAD/Medre.A a significant threat.

Technical Information

File System Details

ACAD/Medre.A creates the following file(s):
# File Name Size MD5
1 %CurrentWorkingDirectoryofdwg%\cad.fas
2 %AutoCADSupportDirectory%\cad.fas
3 %CurrentWorkingDirectoryofdwg%\acad.fas
4 %AutoCADSupportDirectory%\acad.fas
5 %WinDir%\System32\Acad.fas
6 %WinDir%\Acad.fas
7 %AutoCADInstallationFolder%\Support\acad20*.lsp
8 file.exe 22,052 916744d1e7064a5522092f310a7c4ab0
More files

Registry Details

ACAD/Medre.A creates the following registry entry or registry entries:
RegistryKey
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Catalog]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting] "FILE-H" = "T" "FILE" = "%variable1%" "FILE-G" = "%variable2%" "Time" = "%variable3%"
[HKEY_CURRENT_USER\Software\Aerofox\Foxmail] "Executable"
[HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Catalog]
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Catalog]

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.