[Esa-l]Adobe PDF files can be used as virus carriers (fwd)

John D. Hardin jhardin at impsec.org
Tue Aug 7 14:26:08 PDT 2001

Oh, joy. How do we deal with *this*?

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at impsec.org        pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  In 1998 more than three times as many people in the US were killed
  by incompetent physicians than were killed by handguns, yet the
  President of the A.M.A. is adopting "gun safety" as his platform.
   1183 days until the Presidential Election

---------- Forwarded message ----------
Date: Tue, 7 Aug 2001 11:44:20 -0400
From: Richard M. Smith <rms at privacyfoundation.org>
To: bugtraq at securityfocus.com
Subject: Adobe PDF files can be used as virus carriers


This is an interesting development.  Zulu, a virus writer from South
America, appears to have discovered that Adobe PDF files can be used to
carry computer viruses.  The attached description gives the details.
His little trick uses a PDF file to bypass the new security feature of
Outlook which automatically deletes dangerous file attachments.  With
this security feature, all VBScript attachments are deleted because they
might be computer viruses.  However with Zulu's trick, a malicious
VBScript file can instead be hidden inside a PDF file which Outlook
considers safe.

I don't believe that the anti security research and reverse engineering
provisions of the DCMA apply here, but given Adobe's recent action
against Dmitry Sklyarov, I recommend a bit of caution by anyone looking
into this potential security problem in Adobe Acrobat Reader.  A
conversation with a lawyer might be prudent.

Another interesting question is if Adobe formatted eBooks can also act
as computer virus carriers.

Richard M. Smith
CTO, Privacy Foundation



Virus Name: OUTLOOK.PDFWorm
Author: Zulu
Origin: Argentina

VBScript worm. It uses OUTLOOK to send itself in a PDF (portable
document format) file (first
using this file type).
When opened using Acrobat it will show an image with a minor game.
Showing the solution to this
game involves doing a double click to a file annotation, which after a
warning will run a VBS,
VBE or WSF file (depending of the worm version).
The VBScript file will create and show a JPG file with the solution to
the game and it will try
to find the PDF file to spread it. This is necessary because when the
link is used, Acrobat
will create the VBS, VBE or WSF file in Windows' temporary directory and
it will run this file,
so this VBScript file doesn't know the path of the PDF file to spread.
Then it will start the spreading code using a way of using OUTLOOK not
seen before in any
worm (spreading details can be found in the features section of this
The password for changing the security options of the PDF file is
This worm is designed to be a proof of concept, it has bad spreading
capabilities, only the
necessary to be called a worm. Also, because file annotations are only
available in the full
version of Acrobat, this worm will not run in Acrobat Reader.


- Uses the PDF extension, not seen before in any virus/worm.
- OUTLOOK spreading using new code, not the classic Melissa's code and
it's variations like the
  one from Freelink.
  This new method will get addresses from the recipients of all emails
in any OUTLOOK folder
  and from all address book entries (but taking the first three
addresses of each contact, not
  just the first like most OUTLOOK worms).
  This new method is based in the possibility of reaching contacts from
OUTLOOK folders instead
  of using the objects designed to read address books. So the code will
look inside all OUTLOOK
  folders, and if the items inside them are emails or contacts, it will
get those addresses.
  Subject, body and attachment name will be selected from some random
choices. Also, it will
  limit the amount of emails to 100.
  It will be run only once in each computer since it uses the registry
to check if it was
  already run.
- Good social engineering. I even think that this PDF file would be
manually sent by many of
  those users that are never tired of sending stupid jokes. :)
- To find the PDF file, if Word is installed it will use it to do the
search, if Word is not
  installed, it will search for the file using VBScript code looking in
many common paths and
  all subdirectories of those paths. Both methods will look for PDF
files with their size
  similar to the original worm copy.
- Uses script encoding (in version 1.1 and 1.2).
- The VBScript file shows a JPG file when run, so it will show what the
user expects.

Background information:

I was starting another project, much bigger and with good spreading
capabilities. But that was
very delayed because of time problems, so I decided to try with PDF
files first and then
continue with the other worm when I have time.
I saw four possibilities:

- Using JavaScript with "mailMsg" method.
  It would only work in the full version of Acrobat.
  By using the "mailMsg" method (which uses MAPI) I could send an email
message when the
  document is opened (page open action).
  But the problem was that I was not able of getting email addresses to
send the message to.
- Using the Acrobat menu.
  It would only work in the full version of Acrobat.
  I could use the "Send Mail..." menu option, calling it when the
document is opened (page open
  action). That would open a window from the default email client with
the attachment already
  Here the problem was how to send the necessary keys to send the
message that was already
  opened in that window.
- Using open file action.
  It would work in Acrobat and in Acrobat Reader. It displays a warning.
  By creating an open file action when the document is opened I could
run any file with any
  code inside it.
  But the problem was that I had no file to run. This method could work
for a trojan that runs
  "FORMAT.COM", but not for a worm.
- Using a file annotation.
  It would only work in the full version of Acrobat. It displays a
  Creating a file annotation with my file embedded inside the PDF file I
could run my code.
  Acrobat would create the embedded file in the temporary directory and
it would run the file
  from there.
  This has two problems. One was knowing the path of the PDF file, this
was solved by searching
  the file in the hard disk since looking in the task name would only
give the file name, not
  the full path. The other problem is that it's not possible to open a
file annotation
  automatically when the PDF file is opened since there is no action to
do that and it seems
  that there is no way of getting the file using JavaScript code, so it
was necessary that the
  user manually double clicked the file annotation. This last problem
was not solved.

More information about the esd-l mailing list