New virus spreads using Acrobat files

From...

By Hector Calabia

(IDG) -- A worm that infects PDF files used by Adobe Systems' Acrobat software was identified Tuesday, according to two security organizations.

The worm appeared on Tuesday morning and has been analyzed by Bernardo Quinteros, head of the Madrid-based security firm HispaSec Sistemas and Richard M. Smith, chief technical officer of the U.S.-based Privacy Foundation.

"Even considering that it is a just-created laboratory virus, this is like a seed of an upcoming deluge of viruses of the same kind in PDF files, a format considered safe up to now," said Quinteros.

The virus is called "Outlook.pdf," and it is considered "experimental," with a small capacity to infect, Quinteros said.

IDG.net INFOCENTER NWFusion main page Network World Fusion's product reviews Net.Worker: Resources for teleworkers Free daily newsletters Related IDG.net Stories Code Red hits DSL routers, cable-modem networks Code Red II crashes dinner for Internet experts Virus-writing group denies involvement with Code Red Features Network security begins at home Any port is a hacker storm DSL bloodbath continues Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

In order to spread itself, the virus uses Adobe Acrobat and functions of Microsoft's Outlook that have never been used before. According to both researchers, the worm uses Outlook to send itself hidden in a PDF file. When opened using Acrobat, the file launches a game that prompts the user to click on the image of a peach. After the user clicks on the image, a Visual Basic script is run and the virus gets activated, they said.

The virus spreads itself using all the addresses from the e-mails in any Outlook folder, not just the program's Address Book, and it will send itself in a PDF file, disguising itself by changing the e-mail's subject, body and attachment lines every time, they said.

The worm was developed by "Zulu," an Argentine hacker well-known in the virus underground as a prolific innovator. He also created the "Bubble Boy," "Freelinks," "The Fly," "Monopoly," and "Life_Stages" viruses, according to Quinteros.

Zulu created it as a "proof of concept," to prove that Adobe Acrobat files can be virus carriers, and it has not been optimized for mass distribution, Quinteros said. The worm requires the presence of both Outlook and the full Acrobat program, not just the Reader, the free utility that most users have installed.

"There has been very little public discussion of Adobe Acrobat security issues as far as I can tell. Since PDF files are considered safe by Internet Explorer, it means that Acrobat security holes are easy to exploit from Web pages and HTML e-mail messages," the Privacy Foundation's Smith said in an e-mail exchange with the IDG News Service.

Zulu told Quinteros in a previous interview that he creates worms just for fun. He finds it an educational experience, does not feel guilty about doing it and his actions are not considered a crime under Argentine law yet. The worms written by Zulu do not usually carry a dangerous payload by themselves, although they can be adapted and made malicious by others, according to Quinteros.