Macro virus reborn: ACAD/Medre.A steals drawings using AutoCAD AutoLISP

Remember the Concept virus? Someone wondered if you could make a self-replicating virus with a Microsoft Word macro. It worked; and the proof of concept soon became a real virus causing the usual mayhem and spoiling our clever VBA templates.

Microsoft locked down Office macros fairly effectively; but the idea lived on and has re-emerged as an AutoCAD virus which runs automatically when a drawing is opened. It is not quite the same, as in AutoCAD the code has to be in an external .lsp file, but you can have code in the S::STARTUP function run when a document loads, as explained in the documentation here. The malware relies on the fact that when drawings are emailed, users often archive an entire folder rather than sending a single file. This is how the virus spreads.

Most of the actual malicious code is not in AutoLISP, but in the more familiar form of VBScript files to which the code calls out. The malware then emails AutoCAD drawings to addresses in China – a rather crude mechanism for stealing data, but apparently somewhat effective since on investigation the target mailboxes were found overflowing with messages.

The threat is serious though. Much intellectual property and many future product plans are contained in AutoCAD drawings.

Security vendor ESET’s white paper [PDF] describes the attack in detail.

According to ESET, the combined efforts of Autodesk, Chinese ISP Tencent, and the Chinese National Computer Virus Emergency Response Center have contained the virus for now. There is also a free clean-up utility here: http://download.eset.com/special/EACADMedreCleaner.exe.