30 April 2010, 12:00

PDF files spread Windows worm

Adobe PDF Logo Anti-virus software vendors are reporting further efforts by criminals to use crafted PDF files to infect Windows systems with malware. Following recent dissemination of documents containing the ZeuS bot, now spam is spreading a PDF that contains a worm.

Scripts or exe files embedded in PDF files can be executed by means of the Launch Actions/Launch File function. Although Adobe Reader does ask users whether they want to run an embedded file, the message box can be configured such that the user has no reason to suspect that something untoward is about to happen.

Sources, including IBM's X-Force, are currently reporting spam with the subject line "Setting for your mailbox are changed". The email claims the attached PDF contain instructions for reconfiguring the user's e-mail account. Although Adobe Reader does display a warning when the PDF file is opened, some users are likely to simply click the open button to view the document. This results in the PDF file executing a VBScript which writes the file game.exe to the computer and then executes it.

The file contains the worm Win32/Auraax. For good measure, Auraax installs a rootkit and attempts to write itself to any drives (e.g. USB drives) connected to the system. Although most anti-virus software detects the malware it is advisable to deactivate the "Allow opening of non-PDF file attachments with external applications" option from the Edit/Preferences/Trust Manager menu in Adobe Reader. This option is activated by default. Foxit Reader is likewise susceptible to such attacks and also displays a warning, but there is no option to disable the Launch function.

Because a warning message is displayed, Adobe does not classify this security problem as critical. Adobe considers it to be a useful function which only becomes a problem when used incorrectly.

See also: