RealTime IT News

First PDF Worm Hits PC Users

Anti-virus experts at McAfee.com say they've discovered a new worm that hides in a PDF file.

The worm called "Peachy" so far affects only users of the full version of the Adobe Acrobat application.

The Sunnyvale, Calif.-based company's AVERT division says this is the first known worm to use a PDF file infected with a VBS (visual basic script) payload virus that spreads the virus to other PC users.

AVERT experts say the virus does not affect the millions of users of Adobe Systems's Adobe Reader, the "viewer" tool commonly associated with PDF files. Because of that, experts say the problem is unlikely to become wide spread.

"The good news is that it worm is not in the wild, meaning that we haven't received any reports of this affecting customers on a wide scale yet," says McAfee AVERT virus expert April Goosetree. "It's not spreading that fast, but people need to be aware of the attachment files that are coming in their e-mail."

Remember, having just the Acrobat reader will not spread the worm. The VBS/PeachyPDF@MM arrives in an e-mail message containing random information.

So far, Goosetree says there are a few common denominators that all the Peachy-infected e-mails have in common.

The subject line may start with: "Fw: " and may contain: "You have one minute to find the peach", or "Find the peach", or "Find", or "Peach", or "Joke."

The body of the message usually contains the phrase "Try finding the peach", or "Try this", or "Interesting search", or "I don't usually send this things, but..."

Certainly the attachment is called "find.pdf ", or "peach.pdf", or "find the peach.pdf", or "find_the_peach.pdf", or "joke.pdf", or "search.pdf"

You will know you've been affected if you open the attached .PDF file and a pop-up display reads, "You have one minute to find the peach!". A collogue containing images of naked female buttocks then comes on the screen, one of which is actually the image of a peach.

An icon entitled, "Double click the icon to show the solution" also seems to be present. If the user has only the Acrobat Reader, this icon is disabled. If the user has the full version of Acrobat, double-clicking it will result in the creation and execution of the VBScript worm file (Peach.vbs, Peach.vbe, or Peach.wsf ) depending of the version of the worm.

McAfee says this VBScript file creates a GIF image named PEACH.JPG and attempts to open it. As this filename contains the wrong extension, a broken image may appear in your browser/image viewer. The image is supposed to display where the real peach is located, "LINE 1,picture 6". The worm checks for the presence of a registry key before proceeding. If this key is present the script quits, otherwise it creates it:

HKLM\Software\OUTLOOK.PDFWorm\

The script then scans the infected hard drive and uses that path when mailing itself out from the infected machine. E-mail addresses are gathered from all of the e-mail messages found in the Microsoft Outlook Mail Items folders (Inbox, Sent Items, etc), as well as the Contacts folder. A new e-mail message is created and the first 100 recipients found are BCCed to the message before it is sent.

To fix the problem, McAfee says its customers can download a patch, but suggests filtering out .vbs (Visual Basic Script) attachments from e-mail servers.

AVERT also recommends using common sense. If you receive a e-mail attachment that you weren't expecting or you don't know the sender, you should either scan for viruses or delete it.