First PDF Worm Hits PC Users

Anti-virus experts at McAfee.com
say they’ve discovered a new worm that hides in a
PDF file.

The worm called “Peachy” so far
affects only users of the full version of the Adobe Acrobat application.

The Sunnyvale, Calif.-based company’s AVERT division says this is the
first known worm to use a PDF file infected with a VBS (visual basic
script) payload virus that spreads the virus to other PC users.

AVERT experts say the virus does not affect the millions of users of
Adobe Systems‘s
Adobe Reader, the “viewer” tool commonly associated with PDF files.
Because of that, experts say the problem is unlikely to become wide
spread.

“The good news is that it worm is not in the wild, meaning that we
haven’t received any reports of this affecting customers on a wide scale
yet,” says McAfee AVERT virus expert April Goosetree. “It’s not
spreading that fast, but people need to be aware of the attachment files
that are coming in their e-mail.”

Remember, having just the Acrobat reader will not spread the worm.
The VBS/[email protected] arrives in an e-mail message containing random
information.

So far, Goosetree says there are a few common denominators that all
the Peachy-infected e-mails have in common.

The subject line may start with: “Fw: ” and may contain: “You have
one minute to find the peach”, or “Find the peach”, or “Find”, or
“Peach”, or “Joke.”

The body of the message usually contains the phrase “Try finding the
peach”, or “Try this”, or “Interesting search”, or “I don’t usually send
this things, but…”

Certainly the attachment is called “find.pdf “, or “peach.pdf”, or
“find the peach.pdf”, or “find_the_peach.pdf”, or “joke.pdf”, or
“search.pdf”

You will know you’ve been affected if you open the attached .PDF file
and a pop-up display reads, “You have one minute to find the peach!”. A
collogue containing images of naked female buttocks then comes on the
screen, one of which is actually the image of a peach.

An icon entitled, “Double click the icon to show the solution” also
seems to be present. If the user has only the Acrobat Reader, this icon
is disabled. If the user has the full version of Acrobat,
double-clicking it will result in the creation and execution of the
VBScript worm file (Peach.vbs, Peach.vbe, or Peach.wsf ) depending of
the version of the worm.

McAfee says this VBScript file creates a GIF image named PEACH.JPG
and attempts to open it. As this filename contains the wrong extension,
a broken image may appear in your browser/image viewer. The image is
supposed to display where the real peach is located, “LINE 1,picture 6”.
The worm checks for the presence of a registry key before proceeding. If
this key is present the script quits, otherwise it creates it:

HKLMSoftwareOUTLOOK.PDFWorm

The script then scans the infected hard drive and uses that path when
mailing itself out from the infected machine. E-mail addresses are
gathered from all of the e-mail messages found in the Microsoft Outlook
Mail Items folders (Inbox, Sent Items, etc), as well as the Contacts
folder. A new e-mail message is created and the first 100 recipients
found are BCCed to the message before it is sent.

To fix the problem, McAfee says its customers can download a patch, but
suggests filtering out .vbs (Visual Basic Script) attachments from
e-mail servers.

AVERT also recommends using common sense. If you receive a e-mail
attachment that you weren’t expecting or you don’t know the sender, you
should either scan for viruses or delete it.

News Around the Web