Monday, March 27, 2017
Home / Malware / New Industrial espionage worm steals AutoCAD drawings

New Industrial espionage worm steals AutoCAD drawings

CAD/Medre.A, a worm that steals AutoCAD drawings and sends them to remote servers, was recently discovered infecting a great number of computers in Peru and some other Latin American countries.

As worrying as the malware may be, its geographically confined blast likely implies that not many people have heard or are concerned about it. Still, those who have and are looking for tools to remove it could be in for some other nasty surprises, as ESET researchers have unearthed a website apparently providing one such tool.

The website alleges that the worm redirects searchers, alters the desktop image, lags the computer and the Internet, causes uninvited windows pop ups, corrupts the Windows registry, “carries” Trojans and keyloggers and, finally, that it “displays several fake infections of fake security threats on your computer and then state that you should buy the program in order to remove the infections.”

Considering the number of lies a false information, the tool they provide does nothing about the worm, but instead installs other files that are unneeded.  The tool purports to be Spyware Doctor, by a legitimate company PC Tools, but it’s nothing of the sort. The downloaded executable installs three files on the computer:FixNCR.reg, “SpyHunter-Installer.exe, and SpeedyPC Pro Installer.exe.

The first one claims to delete the registry entries altered by ACAD/Medre.A, but simply does deletes other, harmless registry entries.

The second executable is said to detect the worm on an infected systems. Not surprisingly, this tool also doesn’t work as advertised.

The third dropped executable seems to be doing a good job, as it detects all of 63 different malware installed on the system – including the aforementioned SpyHunter – but not ACAD/Medre.A.

The user is urged to buy the solution that will get rid of all this malware – a solution that will cost them $119 per year.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Exploit Kit activity on a steep decline since April

As malware writers are moving to Neutrino and RIG exploit kits (EK) for dispersal needs, security experts …