New virus targets Acrobat files

A worm that infects portable document format files (PDFs), used by Adobe Systems's Acrobat software, has been identified,...

A worm that infects portable document format files (PDFs), used by Adobe Systems's Acrobat software, has been identified, according to two security organisations.

The worm first appeared on 7 August and has been analysed by Bernardo Quinteros, the head of the Spanish-based security firm HispaSec Sistemas, and Richard M Smith, the chief technical officer of the US-based Privacy Foundation.

Quinteros warned that even though this was a laboratory virus, it highlighted a potentially dangerous weakness in PDF files.

So far, this type of file has been considered safe and immune from virus infections. The virus is called Outlook.pdf, and is considered "experimental", with a small capacity to infect, Quinteros said.

According to both researchers, the worm uses Outlook to hide itself in a PDF file attachment. When opened using Adobe Acrobat, the file launches a game that prompts the user to click on the image of a peach. After the user clicks on the image, a Visual Basic script activates the virus.

The virus spreads itself using all the addresses from the e-mails in any Outlook folder, not just the program's address book, and will send itself in a PDF file, disguising itself by changing the e-mail's subject, body and attachment lines.

The worm was developed by "Zulu", an Argentine hacker who is well known in the virus underground as the prolific innovator responsible for the creation of the Bubble Boy, Freelinks, Fly, Monopoly and Life_Stages viruses.

Zulu created it as a "proof of concept" to show that Adobe Acrobat files can be virus carriers. It has not been optimised for mass distribution, Quinteros said. The virus requires both Outlook and a full version of Adobe Acrobat, not just the Reader, the free utility which most users have installed.

"There has been very little public discussion of Adobe Acrobat security issues as far as I can tell. Since PDF files are considered safe by Internet Explorer, it means that Acrobat security holes are easy to exploit from Web pages and HTML e-mail messages," said Smith.

Further Information
BusTraq security list archives:
The Privacy Foundation:

Read more on Antivirus, firewall and IDS products