A sudden spike on ESET’s LiveGrid Early Warning System revealed that an AutoLISP-based worm dubbed "ACAD/Medre.A" has recently been infecting a great number of computers in the Latin American country of Peru.
The worm has one main goal: to send any AutoCAD drawings it may find on the compromised computers to a number of email accounts opened at 163.com and qq.com, two Chinese internet providers.
ACAD/Medre.A also creates a password protected RAR-file containing the drawing and the requisite “acad.fas” file and a “.dxf” file and sends them separately by e-mail, shares Zwienenberg, and adds that the DFX file contains information needed by the recipient to load the stolen drawing into the right system with the right language.
"From our analysis of all the used e-mail accounts we can derive the scale of the attack and conclude that tens of thousands of AutoCAD drawings (blueprints) leaked," Zwienenberg pointed out. "Upon realization of the magnitude of the problem ESET reached out to Tencent, owners of the qq.com domain. Due to swift quick action on the part of Tencent the accounts used for relaying the e-mails with the drawings have been blocked and thus no further leakage will occur."
The company had additional help from the Chinese National Computer Virus Emergency Response Center, which reacted by blocking and removing the accounts in question.
The worm also tries to steal Outlook .PST files and files belonging to the Foxmail email client - depending on which software the owner of the infected machine uses.
So how did prevalently Peruvian users get infected in the first place?
It seems that the worm was contained in a booby-trapped AutoCAD template offered on a website belonging to a public body, and that the victims were urged to download it from there.
"If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then infecting their own environment," says Zwienenberg.