What is the nature of the malware?
ACAD/Medre.A is an AutoLISP program disguised as an acad.fas file. When a user opens a DWG from a folder containing this file, the malware sends a copy of the DWG via an email (using SMTP protocol). For additional information on an AutoLISP based malware, visit: AutoCAD and Viruses.
ACAD/Medre.A is also known as: ALisp/Blemfox.A (Microsoft), Trojan.Acad.Bursted.W (BitDefender), ALS.Bursted.B (Symantec).
Which Autodesk products may be affected?
The malware targets AutoCAD releases 2000 and newer, and other products based on AutoCAD. AutoCAD LT, AutoCAD for Mac and other Autodesk products are not affected.
How can I know if my system is infected?
The malware is easily detectable by major antivirus solutions with up-to-date virus definitions. We recommend users perform a full virus scan to see if their system is infected by this malware.
There are alternative methods of detecting possible infections by this malware:
- acad.fas or cad.fas files on your system may indicate the presence of this malware. You can search for these files in Windows Explorer. Since these files could be hidden, you may need to show hidden files using the following Microsoft solution: Show Hidden Files.
- Search for the acad.fas from the AutoCAD command line by typing (findfile "acad.fas"), including parenthesis.
If the search finds a match, compare an MD5 or SHA-1 cryptographic hash of the discovered acad.file with - md5: 7b563740f41e495a68b70cbb22980b20; SHA1: 43ea33bedadc9bfc92c570b316b78b6fd9787f09. If MD5 or SHA-1 hash values match, your system is infected. For more information on how to compute an MD5 or SHA-1, see: How to compute the MD5 or SHA-1 cryptographic hash values for a file.
How can I remediate the infection?
This malware can be remediated through leading commercial antivirus solutions. Autodesk has confirmed that Microsoft, Trend Micro, McAfee, Symantec, Avira, and Kaspersky antivirus solutions can clean this malware. We have also verified that ESET’s ACAD/Medre.A stand-alone cleaner can clean this malware. We will update this FAQ as we test additional antivirus solutions.
What best practices can I follow to reduce my chances of being infected?
We recommend users protect their systems through use of an antivirus solution with up-to-date virus definitions. In addition, the following best practices can reduce the chance of an infection:
- Do not open archive files (i.e. zip) from unknown users.
- Do not run an unknown AutoLISP file without inspecting it first.
- The following Autodesk knowledge base article also provides additional best practices:
AutoCAD and Viruses
Support – Terms of UseAUTODESK DOES NOT GUARANTEE THAT YOU WILL BE ABLE TO SUCCESSFULLY DOWNLOAD OR IMPLEMENT ANY SERVICE PACK OR WORKAROUND, OR ANY OF THE TIPS, TRICKS, EXAMPLES OR SUGGESTIONS OUTLINED IN ANY AUTODESK PRODUCT SUPPORT TECHNICAL DOCUMENTS. TECHNICAL DOCUMENTS, SERVICE PACKS AND WORKAROUNDS ARE SUBJECT TO CHANGE WITHOUT NOTICE TO YOU. AUTODESK PROVIDES TECHNICAL DOCUMENTS, SERVICE PACKS AND WORKAROUNDS "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL AUTODESK OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF DATA, OR LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, THAT MAY OCCUR AS A RESULT OF IMPLEMENTING ANY SERVICE PACK OR WORKAROUND, OR ANY SUGGESTION OUTLINED IN ANY AUTODESK PRODUCT SUPPORT TECHNICAL DOCUMENT, EVEN IF AUTODESK OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
