Hello, This is an interesting development. Zulu, a virus writer from South America, appears to have discovered that Adobe PDF files can be used to carry computer viruses. The attached description gives the details. His little trick uses a PDF file to bypass the new security feature of Outlook which automatically deletes dangerous file attachments. With this security feature, all VBScript attachments are deleted because they might be computer viruses. However with Zulu's trick, a malicious VBScript file can instead be hidden inside a PDF file which Outlook considers safe. I don't believe that the anti security research and reverse engineering provisions of the DCMA apply here, but given Adobe's recent action against Dmitry Sklyarov, I recommend a bit of caution by anyone looking into this potential security problem in Adobe Acrobat Reader. A conversation with a lawyer might be prudent. Another interesting question is if Adobe formatted eBooks can also act as computer virus carriers. Richard M. Smith CTO, Privacy Foundation http://www.privacyfoundation.org ==================================================================== http://www.coderz.net/zulu/outlook.pdfworm.txt Virus Name: OUTLOOK.PDFWorm Author: Zulu Origin: Argentina VBScript worm. It uses OUTLOOK to send itself in a PDF (portable document format) file (first using this file type). When opened using Acrobat it will show an image with a minor game. Showing the solution to this game involves doing a double click to a file annotation, which after a warning will run a VBS, VBE or WSF file (depending of the worm version). The VBScript file will create and show a JPG file with the solution to the game and it will try to find the PDF file to spread it. This is necessary because when the link is used, Acrobat will create the VBS, VBE or WSF file in Windows' temporary directory and it will run this file, so this VBScript file doesn't know the path of the PDF file to spread. Then it will start the spreading code using a way of using OUTLOOK not seen before in any worm (spreading details can be found in the features section of this file). The password for changing the security options of the PDF file is "OUTLOOK.PDFWorm". This worm is designed to be a proof of concept, it has bad spreading capabilities, only the necessary to be called a worm. Also, because file annotations are only available in the full version of Acrobat, this worm will not run in Acrobat Reader. Features: - Uses the PDF extension, not seen before in any virus/worm. - OUTLOOK spreading using new code, not the classic Melissa's code and it's variations like the one from Freelink. This new method will get addresses from the recipients of all emails in any OUTLOOK folder and from all address book entries (but taking the first three addresses of each contact, not just the first like most OUTLOOK worms). This new method is based in the possibility of reaching contacts from OUTLOOK folders instead of using the objects designed to read address books. So the code will look inside all OUTLOOK folders, and if the items inside them are emails or contacts, it will get those addresses. Subject, body and attachment name will be selected from some random choices. Also, it will limit the amount of emails to 100. It will be run only once in each computer since it uses the registry to check if it was already run. - Good social engineering. I even think that this PDF file would be manually sent by many of those users that are never tired of sending stupid jokes. :) - To find the PDF file, if Word is installed it will use it to do the search, if Word is not installed, it will search for the file using VBScript code looking in many common paths and all subdirectories of those paths. Both methods will look for PDF files with their size similar to the original worm copy. - Uses script encoding (in version 1.1 and 1.2). - The VBScript file shows a JPG file when run, so it will show what the user expects. Background information: I was starting another project, much bigger and with good spreading capabilities. But that was very delayed because of time problems, so I decided to try with PDF files first and then continue with the other worm when I have time. I saw four possibilities: - Using JavaScript with "mailMsg" method. It would only work in the full version of Acrobat. By using the "mailMsg" method (which uses MAPI) I could send an email message when the document is opened (page open action). But the problem was that I was not able of getting email addresses to send the message to. - Using the Acrobat menu. It would only work in the full version of Acrobat. I could use the "Send Mail..." menu option, calling it when the document is opened (page open action). That would open a window from the default email client with the attachment already added. Here the problem was how to send the necessary keys to send the message that was already opened in that window. - Using open file action. It would work in Acrobat and in Acrobat Reader. It displays a warning. By creating an open file action when the document is opened I could run any file with any code inside it. But the problem was that I had no file to run. This method could work for a trojan that runs "FORMAT.COM", but not for a worm. - Using a file annotation. It would only work in the full version of Acrobat. It displays a warning. Creating a file annotation with my file embedded inside the PDF file I could run my code. Acrobat would create the embedded file in the temporary directory and it would run the file from there. This has two problems. One was knowing the path of the PDF file, this was solved by searching the file in the hard disk since looking in the task name would only give the file name, not the full path. The other problem is that it's not possible to open a file annotation automatically when the PDF file is opened since there is no action to do that and it seems that there is no way of getting the file using JavaScript code, so it was necessary that the user manually double clicked the file annotation. This last problem was not solved.
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 10:17:48 PDT