PDF Has Fallen Victim to the Internet Worm "Peach"

08 Aug 2001
Virus News

Kaspersky Lab, an international data-security software developer, announces the detection of the Internet worm "Peach" that utilizes PDF files (Adobe Acrobat) for spreading.

"Peach" is an average malicious script program written in Visual Basic Script (VBS) programming language. Its distinctive feature is the ability for using PDF-files as a carrier. This ability is based on the PDF-files internal format, which enables a malefactor to plant in PDF-files other types of programs, including VBS-programs.

"Peach" is delivered to the target computers in form of attachment of an e-mail message. The attachment's filename, as well as the message's subject and body are randomly selected from a list contained in the worm's code. After the attachment is executed "Peach" launches ADOBE acrobat or Adobe Acrobat Reader (in case they are installed on the given computer) and shows the document with indecent content:

The PDF-file offers a user a user to play a simple game stored and find a peach in the shown picture. To make it faster a user is offered to click on an embedded object and find out the answer. After the embedded object is activated, the Adobe Acrobat (not Adobe Acrobat Reader - this software simply has no features to execute embedded objects) program extracts the VBS code, copies it to a temporary folder and launches it. The virus code then creates a JPG file on a disk and displays it using Internet Explorer. Following this, the worm tries to find its host PDF file on a disk, and if it finds the file, the worm sends it to recipients specified in the Outlook Address Book. It is very important to mention that "Peach" does not infect other PDF-files. It spreads only the host PDF-file, i.e. the one the worm was launched from. The worm carries no other payload.

At this time, Kaspersky Lab has not received any messages from users having been infected by the Peach Internet-worm.

A more in-depth description of the Peach Internet worm can be found in the Kaspersky Virus Encyclopedia.