August 7, 2001 7:45 PM PDT

New virus travels in PDF files

Adobe's popular PDF file format--known to anyone who's ever called up a tax form on the IRS Web site--has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible.

On Tuesday morning, Network Associates' McAfee antivirus division became aware of the first virus--known as "Peachy"--that uses PDF to spread, said Vincent Gullotto, senior director of McAfee's Avert group.

Fortunately, those who are simply viewing a PDF, or Portable Document Format, file aren't vulnerable. The virus spreads only by way of Adobe's Acrobat software--the program used to create PDF documents--not through Acrobat Reader, the free program that is used to view the files.

"There is no way for this to affect Acrobat Reader," said Adobe's Sarah Rosenbaum, director of Acrobat product management. "The code in Acrobat that recognizes attachments does not exist in Reader."

Peachy exploits an Acrobat feature that allows people to embed other files within a PDF--attachments that can be opened only by people using Acrobat.

"Right now it's considered to be a low risk because we haven't seen it reported to us from a customer," Network Associates' Gullotto said.

But the Peachy virus raises the issue that PDF files--widely used to display documents within Web browsers and e-mail--could become a new channel for spreading viruses.

"What I'm concerned about here is that this could be a new frontier," said Richard Smith, chief technology officer of the Privacy Foundation. "It's considered to be a safe file format." Smith posted news of the virus to the Bugtraq security mailing list Tuesday.

It's clear that if Adobe modified future versions of Reader so that it could read attachments embedded in PDF files, the program could fall victim to Peachy's descendents.

Rosenbaum said that while it's possible Adobe might add attachment-handling capability in future editions of Acrobat Reader, the company has no immediate plans to do so.

Smith said he believes Acrobat Reader software could prove susceptible in any case. Indeed, the Computer Emergency Response Team posted news of a vulnerability in the Windows version of Acrobat in November 2000 that could let an outside attacker gain control over the computer of a person who simply viewed a PDF file. Adobe patched that hole.

Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.

"I think the attraction...has reached a critical level recently," Rosenbaum said. "It's only been in the last 18 to 24 months that PDF...use has really exploded."

How Peachy works
Acrobat lets people embed different file types within a PDF, including everything from the VBScript programs--used in the LoveLetter virus--to an actual executable program, Gullotto said.

Peachy is named after a small game in a PDF file that involves finding peaches, Gullotto said. According to a person called Zulu, who said he wrote Peachy, showing the solution to the game runs a VBScript file.

The virus then spreads to others using e-mail addresses collected from Microsoft Outlook, Gullotto said. Hiding the VBScript file in a PDF document bypasses the filters in newer versions of Outlook that ordinarily screen out VBScript files.

However, these more recent versions of Outlook, such as Outlook 2002 or those that have been patched with a security update, do take measures that hamper viruses such as Peachy, said David Jaffe, lead product manager for Microsoft Office. Although PDF files--and whatever embedded programs are hidden in them--aren't screened out, Outlook warns the user when a virus or other automated process tries to access Outlook's address book or use the program to send e-mail, Jaffe said.

Through an agreement with Adobe announced in June, McAfee's software can scan PDF files, Gullotto said. However, as with other virus types, the software isn't always able to catch new viruses until its definitions are updated.

Updated virus descriptions released by McAfee next week will be able to detect Peachy, Gullotto said.

But Adobe doesn't currently plan to prevent VBScript or other files from running.

To prevent Peachy from being able to run, "the change we would have to make is not to allow VBScript attachments. That is a problem for a lot of our customers," Rosenbaum said. "If they change their opinion, we will do what they want."

People with the full version of Acrobat will have to exercise caution when opening attachments to PDF files. However, opening attachments isn't automatic: A cautionary dialog box asks if a person wants to proceed.

10 comments

Join the conversation!
Add your comment
A new VIRUS>>>>
Hi I currently work for microsoft as a technical support agent, recently I have noticed a new trend in computers that have been locking thier users out of the computer requesting a password to reopen the computer, there is no way out of this problem considering the users are all administartors with blank passwords, This one is going to be nasty.
Posted by (2 comments )
Reply Link Flag
This is exactly whats been happening to me.

So is there no way to fix it..??
Posted by DnllTorres (1 comment )
Link Flag
THere's a place on this link to click for a pdf. When I do, I get a disk error. What does that mean? Does this webpage/pdf have a virus that I can't detect?

Thanks,
Ken
Posted by kenlatall (1 comment )
Reply Link Flag
I have also seen my virus scaner go off with this from advertisments on websights that try to install in the temp internet folder
Posted by jenkins_tia (1 comment )
Reply Link Flag
I have had to reformat my computer 4 times in 3 days because everytime I download Adobe Flash player after the first run I loss access to my dvd/rw drive and I can't restore my computer to a previous point. Neither my virus protection, spyware protection or system registry detect anything. Is there a safe version of flash player?
Posted by Arsenick (1 comment )
Reply Link Flag
Today when using my iPad and trying to open a document, it kept asking me for my password. Certainly sounds suspicious. Could this virus also affect my iPad?
Posted by evbanda (1 comment )
Reply Link Flag
Having the same problem . Opened a pdf which actually was RAR n after that all my pdf files do not open as they are password protected
Posted by naughtypic (1 comment )
Link Flag
My computer got fully infected by a mail attachment called document.PDF . It emptied my hard disk i lost m0re than 700$. i need to give a cyber case.
Posted by aswinboys (1 comment )
Reply Link Flag
My pdfs die after a while and cannot be opened. I have found out a virus affects my files because files in older folders stay healthy. Please help with suggestions .
Posted by Mohini Hersom (1 comment )
Reply Link Flag
I downloaded a PDF file from a friend and accessed it like a fool..I have two AVs running and neither found anything wrong with it but I am absolute sure its a virus.
Posted by captainandy14 (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.