BY HECTOR CALABIA, IDG NEWS SERVICE (August 08, 2001) A worm that infects Portable Document Format (PDF) files used by San Jose-based Adobe Systems Inc.'s Acrobat software was identified Tuesday, according to two security organizations.
The worm appeared on Tuesday morning and has been analyzed by Bernardo Quinteros, head of the Madrid-based security firm HispaSec Sistemas and Richard M. Smith, chief technical officer of the Denver-based Privacy Foundation.
"Even considering that it is a just-created laboratory virus, this is like a seed of an upcoming deluge of [viruses] of the same kind in PDF files, a format considered safe up to now," said Quinteros.
So far, that type of file had been considered safe and immune from virus infections. The virus is called Outlook.pdf and is considered experimental, with a small capacity to infect, he said.
In order to spread itself, the virus uses Adobe Acrobat and functions of Microsoft Corp.'s Outlook that have never been used before. According to both researchers, the worm uses Outlook to send itself hidden in a PDF file. When opened using Acrobat, the file will launch a game that prompts the user to click on the image of a peach. After the user clicks on the image, a Visual Basic script is run and the virus gets activated, they said.
The virus spreads itself using all the addresses from the e-mails in any Outlook folder, not just the program's Address Book, and it will send itself in a PDF file, and disguising itself by changing the e-mail's subject, body and attachment lines every time, they said. An image from the game can be seen at HispaSec's Web site.
The worm has been developed by "Zulu," an Argentine hacker known in the virus underground as a prolific innovator whose creations include the Bubble Boy,Freelinks, The_Fly, Monopoly" and Life_Stages viruses, according to Quinteros.
Zulu created the worm as a "proof of concept" to show that Adobe Acrobat files can be virus carriers, and it hasn't been optimized for mass distribution, Quinteros said. It requires the presence of both Outlook and the full Acrobat program, not just the Reader, the free utility that most users have installed.
"There has been very little public discussion of Adobe Acrobat security issues as far as I can tell," the Privacy Foundation's Smith said in an e-mail exchange with the IDG News Service. "Since PDF files are considered safe by Internet Explorer, it means that Acrobat security holes are easy to exploit from Web pages and HTML e-mail messages."
Zulu told Quinteros in a previous interview that he creates worms just for fun because he finds it an educational experience, that he doesn't feel guilty about doing it, and that his actions aren't yet considered a crime under Argentine law. The worms written by Zulu don't usually carry a dangerous payload themselves, but they can be adapted to malicious wrongdoing by others, Quinteros said.