May 2013 – We are writing to inform you of an AutoCAD bourne Trojan virus that has been discovered on computers at some of our design firm clients.
The Trojan appears to be non-destructive. Upon information and belief, its primary purpose is industrial espionage – at least one variant of this malware was designed to send copies of DWG files to a file sharing site in China, but that site was subsequently shut down.[1] Consequently, that particular Trojan is mainly a nuisance, but one that should be eradicated, since it will inhibit your ability to transfer files to third parties if their anti-virus software detects its presence. Perhaps more importantly you may be facilitating the unauthorized release of confidential client information.
Not all anti-virus software detects the Trojan because it is embedded in a compiled AutoCAD LISP file named "acad.fas." The file is locked and hidden. When the user opens any AutoCAD file in the same folder as acad.fas, the malware starts a recursive search of all drives the user has mapped, and injects itself into any folder the user has access to that contains a DWG file. It continues to do so for as long as AutoCAD runs. Given enough time and broad enough access, it will eventually find every DWG file on a network. It will typically also infect the user’s profile and the local hard drive if they contain DWG files.
At this time, we do not know the source of the virus, the final destination of the DWG files, or if the DWG files are actually sent to a third party. We recommend that you take action to determine whether your office computer(s) may be infected and take steps to remove this virus from your computer(s) as soon as possible. Once the files are removed, it does not appear to have any further effects.
If you discover you have the Trojan and you have shared AutoCAD files in any way, including but not limited to transfers on flash drives, email, personal computers, and FTP sites, please forward this notification to any potentially impacted parties.
We strongly recommend that you take the necessary steps to remove this virus from your computer as soon as possible, failure to do so may affect your ability to exchange DWG files.
[1] See this article