Unreleased Virus Targets Acrobat Files

A worm that infects PDF (Portable Document Format) files, generated by Adobe Acrobat, has been created in a lab. While it is not "in the wild," its birth shows PDF files are not immune from infection.

The worm appeared Tuesday and was analyzed by Bernardo Quinteros, head of the Madrid-based security firm HispaSec Sistemas, and Richard Smith, chief technical officer of the Privacy Foundation.

"Even considering that it is a just-created laboratory virus, this is like a seed of an upcoming deluge of viruses of the same kind in PDF files, a format considered safe up to now," Quinteros says.

The virus is called Outlook.pdf, and it is considered "experimental," with a small capacity to infect, Quinteros adds.

To travel, Outlook.pdf uses Acrobat and Microsoft Outlook functions differently than previous worms. Both researchers say the worm uses Outlook to send itself hidden in a PDF file. When opened using Acrobat, the file launches a game that prompts the user to click on the image of a peach. That prompts a Visual Basic script that activates the virus, they say.

The virus spreads by using all the addresses from e-mail messages in any Outlook folder, not just the program's Address Book. It embeds itself into a PDF file, disguising itself by changing the e-mail's subject, body, and attachment lines every time, they say. The researchers have posted an image from the game.

Just Experimenting

The worm has been developed by "Zulu," an Argentine hacker well known in the virus underground as a prolific innovator, according to Quinteros.

Zulu created it as a "proof of concept," to prove that Adobe Acrobat files can be virus carriers. It requires the presence of both Outlook and the full Acrobat program, not just the Reader, the free utility that most users have installed.

It is unclear whether Zulu is targeting Adobe's software with his newest invention because of recent hacker community animosity toward Adobe. The company initially sought, then withdrew, a complaint against Russian programmer Dimitry Sklyarof. The programmer demonstrated at the recent Def Con security conference a utility that breaks copy-protection of electronic books produced by Adobe Acrobat.

"There has been very little public discussion of Adobe Acrobat security issues as far as I can tell. Since PDF files are considered safe by Internet Explorer, it means that Acrobat security holes are easy to exploit from Web pages and HTML e-mail messages," says the Privacy Foundation's Smith.

Zulu has told Quinteros he creates worms just for fun, because he finds it an educational experience. He does not feel guilty about doing it, and the actions are not considered a crime under Argentine law yet. The worms Zulu has written do not usually carry a dangerous payload by themselves, although they can be adapted to malicious wrongdoing by others, according to Quinteros.