New virus spreads using Acrobat files

By Hector D. Calabia

IDG News Service, Buenos Aires Bureau

(This story has been widely reproduced and translated into several languages.)

 

It has been just released a worm that infects PDF (Portable Document Format) files, used by Adobe Acrobat. Up to now, this kind of files were considered safe and immune from virus infections. The virus is called Outlook.pdf, and it is considered "experimental", with a still reduced infectious capacity.

 

The worm appeared on Tuesday morning and has been analyzed by Bernardo Quinteros, head of the Spanish security firm Hispasec and Richard M. Smith, CTO of the Privacy Foundation. "Even considering that it is a just created laboratory virus, this is like a seed of an upcoming deluge of virus of the same kind in PDF files, a format considered safe up to now", said Quinteros.

 

In order to spread itself, the virus uses Adobe Acrobat and functions of Microsoft Outlook that have never been used before. According to both researchers, the worm uses Outlook to send itself hidden in a PDF file. When opened using Acrobat, the file will show an image with a minor game. Showing the solution to this game involves double clicking a file annotation, which after a warning will run a Visual Basic Script that is the virus proper. The virus spreads itself using all the addresses from the e-mails in any Outlook folder (not just the Address Book) and it will send itself in a PDF file, changing the subject, body and attachment lines each time, disguising itself. An image from the game can be seen at http://www.hispasec.com/pdfworm.gif

 

The worm has been created as a "proof of concept", for proving that Adobe Acrobat files can be virus carriers. It has not been optimized for mass distribution, Quinteros said. It requires the presence of both Outlook and the full Acrobat program (not just the Reader, the free utility that most users have installed).

 

"There has been very little public discussion of Adobe Acrobat security issues as far as I can tell. Since PDF files are considered safe by Internet Explorer, it means that Acrobat security holes are easy to exploit from Web pages and HTML email messages," said Privacy Foundation's Smith.

 

The worm has been developed by "Zulu", an Argentine hacker well known in the virus underground as a prolific innovator, creator of "Bubble Boy", "Freelinks", "The_Fly", "Monopoly" and "Life_Stages". In a previous interview by Quinteros, Zulu said that he creates worms just for fun, because he finds it an educational experience, that he does not feel guilty for it, and that his activity is not considered a crime by Argentine legislation yet. According to Quinteros, the worms written by Zulu do not usually carry a dangerous payload by themselves, although they can be adapted to malicious wrong-doing by others.

 

The Web sites of Symantec, Trend Micro and McAfee had not reported the worm yet on Tuesday afternoon.

 

Full details on this new worm can be found at the BusTraq security list archives at http://securityfocus.com/ and also at Hispasec's site at http://hispasec.com/unaaldia.asp?id=1017.

 

This article was originally published by the IDG World Network of magazines and Web Sites
  IDG publishes more than 300 magazines and newspapers including Bio-IT World, CIO, CSO, Computerworld, GamePro, InfoWorld, Network World, and PC World. The company features the largest network of technology-specific Web sites with more than 400 around the world. IDG is also a leading producer of more than 170 computer-related events worldwide including LinuxWorld Conference & Expo(R), Macworld Conference & Expo(R), DEMO, and IDC Directions. IDC provides global market research and advice through offices in 50 countries.
Some stories have been distributed through CNN.com by special arrangement.

 

<< BACK