A worm that infects portable document format (PDF) files, used by Adobe Systems Inc.’s Acrobat software, was identified Tuesday, according to two security organizations.
The worm appeared on Tuesday morning and has been analyzed by Bernardo Quinteros, head of the Madrid, Spain-based security firm HispaSec Sistemas and Richard M. Smith, chief technical officer of the U.S.-based Privacy Foundation. “Even considering that it is a just-created laboratory virus, this is like a seed of an upcoming deluge of virus of the same kind in PDF files, a format considered safe up to now,” said Quinteros.
So far, this type of file had been considered safe and immune from virus infections. The virus is called Outlook.pdf, and it is considered “experimental”, with a small capacity to infect, Quinteros said.
In order to spread itself, the virus uses Adobe Acrobat and functions of Microsoft Corp.’s Outlook that have never been used before. According to both researchers, the worm uses Outlook to send itself hidden in a PDF file. When opened using Acrobat, the file will launch a game that prompts the user to click on the image of a peach. After the user clicks on the image, a Visual Basic script is run and the virus gets activated, they said.
The virus spreads itself using all the addresses from the e-mails in any Outlook folder, not just the program’s Address Book, and it will send itself in a PDF file, and disguising itself by changing the e-mail’s subject, body and attachment lines every time, they said. An image from the game can be seen at http://www.hispasec.com/pdfworm.gif
The worm has been developed by “Zulu”, an Argentine hacker well known in the virus underground as a prolific innovator, creator of “Bubble Boy”, “Freelinks”, “The_Fly”, “Monopoly” and “Life_Stages” viruses, according to Quinteros.
Zulu created it as a “proof of concept”, for proving that Adobe Acrobat files can be virus carriers, and it has not been optimized for mass distribution, Quinteros said. It requires the presence of both Outlook and the full Acrobat program, not just the Reader, the free utility that most users have installed.
“There has been very little public discussion of Adobe Acrobat security issues as far as I can tell. Since PDF files are considered safe by Internet Explorer, it means that Acrobat security holes are easy to exploit from Web pages and HTML email messages,” said the Privacy Foundation’s Smith said in an e-mail exchange with the IDG News Service.
Zulu told Quinteros in a previous interview that he creates worms just for fun, because he finds it an educational experience, that he does not feel guilty about doing it, and that his actions are not considered a crime under Argentine law yet. The worms written by Zulu do not usually carry a dangerous payload by themselves, although they can be adapted to malicious wrong doing by others, according to Quinteros.
Full details on this new worm can be found at the BusTraq security list archives at http://securityfocus.com/ and also at Hispasec’s site at http://hispasec.com. The Privacy Foundation is at http://www.privacyfoundation.org.