Trend Micro researchers recently uncovered AutoCAD malware that's disguised as a legitimate AutoCAD component with a .fas extension.
The malware, which Trend Micro identifies as ACM_SHENZ.A, first creates a user account with administrative rights on the infected system, then creates network shares for all drives from C: to I: -- and opens four ports on the system: ports 137-139 and 445.
"These ports are associated with the Server Message Block (SMB) protocol, which provides access to files, printers, serial ports, and miscellaneous communications between nodes on a network running on Windows," explains Trend Micro threat response engineer Anthony Joe Melgarejo. "By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched."
According to Trend Micro's analysis of the malware, ACM_SHENZ.A generally arrives on a system either as a file dropped by other malware or as a file unknowingly downloaded by victims when visiting malicious sites.