New worm steals Autocad files

Insecurity experts have found a worm which is designed to steal blueprints, design documents and other files created with the AutoCAD.

Righard Zwienenberg of Eset dubbed the worm, ACAD/Medre.A and has spotted it preading through infected AutoCAD templates.

Talking to Wired, he said that the blueprints are being mailed to email addresses in China.

Zwienenberg said that the worm’s infection rates are dropping at this point and it did not seem to be part of a targeted attack upon a company.

It first appeared six months ago and seemed to be jolly interested in machines in Peru, perhaps looking for the mythical home for retired bear’s long lost marmalade factory.

ACAD/Medre.A was written in AutoLISP, a specialized version of the LISP scripting language that’s used in AutoCAD.

The attackers used specific URLs to spread the infected template to targets.

Zwienenberg said that the attack vector was to hit the company and all those who did business with it. So the malware would mostly show up in Peru and neighbouring countries.

The worm modifies the startup file for AutoLISP and then goes through some configuration routines.

ACAD/Medre.A begins sending the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at the Chinese internet provider.

It will use 22 accounts at and 21 accounts at, another Chinese internet provider.

It accesses and with the different account credentials. Zwienenberg wrote that you should never allow port 25 to do anything other than contact your ISP and this should be blocked.

Kaspersky Labs said the software was an uncontrolled attack and it was hard to say who the target is, and it doesn’t seem to be government sponsored. Victims also appear to have happened worldwide.