Home Malware Programs Worms ACAD/Medre.A


Posted: June 22, 2012

Threat Metric

Threat Level: 5/10
Infected PCs: 75
First Seen: June 22, 2012
OS(es) Affected: Windows

ACAD/Medre.A is a worm and virus that specializes in theft of files in the AutoCAD format – a commercial program that's widely-used by architectures, engineers and similar professionals for blueprinting and computer-assisted designing activities. Although ACAD/Medre.A's basic line of attack is an unusual niche, ACAD/Medre.A also includes capabilities that would also be harmful to PC users who don't have anything to do with AutoCAD, such as theft of e-mail-related information for future exploitation. ACAD/Medre.A's basic functionality includes the ability to infect AutoCAD files and use this as a mechanism to distribute itself via e-mail and similar methods. As a consequence of this danger, SpywareRemove.com malware researchers recommend that you scan AutoCAD files with anti-malware software prior to downloading them. You should also be particularly alert to potential ACAD/Medre.A attacks if you use AutoCAD software either casually or as part of your profession.

ACAD/Medre.A: Wearing Blueprints for a Disguise Even as It Steals Them

Similar to Worm:ALisp/Kenilfe.D, Trojan.Acad.Dwgun.a or Trojan:ALisp/Gofas.A, ACAD/Medre.A is a PC threat that targets AutoCAD blueprints for theft, thus enabling ACAD/Medre.A to be a potent, if niche form of industrial saboteur. Versions of AutoCAD from 2000 up to 2015 have all been confirmed to be affected by ACAD/Medre.A, which may also be identified by aliases that include ALS.Bursted.B, Worm:ALisp/Blemfox.A and Trojan.Acad.Bursted.W. Because ACAD/Medre.A both infects AutoCAD files and creates independent files on your PC, ACAD/Medre.A's detection and deletion should be handled by dedicated anti-malware products whenever practical. SpywareRemove.com malware researchers especially emphasize that ACAD/Medre.A-infected AutoCAD files, if launched, may also allow ACAD/Medre.A to infect other AutoCAD files, and don't show obvious symptoms of their attacks.

While ACAD/Medre.A is very effective at infiltration and distribution, ACAD/Medre.A's main attacks are outlined below:

  • ACAD/Medre.A gathers .dwg files, AKA AutoCAD drawings, to send to a remote e-mail address.
  • ACAD/Medre.A also targets e-mail client information from Outlook and Foxmail for similar purposes.
  • Lastly, ACAD/Medre.A also prepares and e-mails a .rar archive that includes metadata about the stolen .dwg files and its own code (as found in the acad.fas file, which is ACAD/Medre.A's original file name and format prior to infecting other files).

Preserving Your Plans from an ACAD/Medre.A-Assisted Heist

The usual means of infection by ACAD/Medre.A is via e-mail file attachments. SpywareRemove.com malware researchers warn against opening e-mail-sent AutoCAD files or archives without scanning them first, even if the e-mail has been sent by a known contact, since ACAD/Medre.A-infected PCs can easily be used to distribute ACAD/Medre.A unintentionally. ACAD/Medre.A is built for Windows and is sufficiently dependent on AutoCAD that PC users without this software aren't likely to be greatly endangered by ACAD/Medre.A's attacks. However, for AutoCAD users and especially professionals in relevant industries, ACAD/Medre.A should be considered a high-level threat to be deleted by suitable anti-malware software as quickly as possible.

As long as you scan AutoCAD files prior to opening them and avoid unsafe online content, ACAD/Medre.A should have negligible opportunities of infecting your PC. As a covert thief, ACAD/Medre.A isn't designed to display plain symptoms of its attacks, and SpywareRemove.com malware experts advise against attempts to detect ACAD/Medre.A without suitable software or the aid of a PC security professional.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to ACAD/Medre.A may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe File name: file.exe
Size: 22.05 KB (22052 bytes)
MD5: 916744d1e7064a5522092f310a7c4ab0
Detection count: 78
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 28, 2012
%AutoCADSupportDirectory%\acad.fas File name: %AutoCADSupportDirectory%\acad.fas
Mime Type: unknown/fas
Group: Malware file
%AutoCADSupportDirectory%\cad.fas File name: %AutoCADSupportDirectory%\cad.fas
Mime Type: unknown/fas
Group: Malware file
%AutoCADInstallationFolder%\Support\acad20*.lsp File name: %AutoCADInstallationFolder%\Support\acad20*.lsp
Mime Type: unknown/lsp
Group: Malware file
%CurrentWorkingDirectoryofdwg%\acad.fas File name: %CurrentWorkingDirectoryofdwg%\acad.fas
Mime Type: unknown/fas
Group: Malware file
%CurrentWorkingDirectoryofdwg%\cad.fas File name: %CurrentWorkingDirectoryofdwg%\cad.fas
Mime Type: unknown/fas
Group: Malware file
%WinDir%\System32\Acad.fas File name: %WinDir%\System32\Acad.fas
Mime Type: unknown/fas
Group: Malware file
%WinDir%\Acad.fas File name: %WinDir%\Acad.fas
Mime Type: unknown/fas
Group: Malware file

More files

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}[HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Catalog] [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Catalog][HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Catalog] [HKEY_CURRENT_USER\Software\Aerofox\Foxmail] "Executable"

One Comment