McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• OUTLOOK.PDFWorm

• VBS.PDFWorm.A (AVX)

• VBS.PeachyPDF@mm (NAV)

Characteristics

This mass-mailing worm is embedded inside a .PDF file. However, as it requires the full version of Adobe Acrobat (ver 5 or higher) in order to propagate, it is unlikely to become wide spread. Having just the Acrobat reader will not spread the worm. VBS/PeachyPDF@MM arrives in an email message containing random information. Below is a list of strings that are chosen at random to make up the various parts of the message

Subject:
May start with: "Fw: "
May contain: "You have one minute to find the peach", or "Find the peach", or "Find", or "Peach", or "Joke"
May end with: "!", or "> "

Body:
May start with: "> "
May contain: "Try finding the peach", or "Try this", or "Interesting search", or "I don't usually send this things, but...", or any one of the subject lines
May end with: "!", or " :-)", or " :)", or " =)", or " :-]"

Attachment: "find.pdf ", or "peach.pdf", or "find the peach.pdf", or "find_the_peach.pdf", or "joke.pdf", or "search.pdf"

Opening the attached .PDF file will display a document which reads, "You have one minute to find the peach!". A collogue containing images of naked female buttocks is displayed, one of which is actually the image of a peach. An icon entitled, "Double click the icon to show the solution" is also present. If the user has only the Acrobat Reader, this icon is disabled. If the user has the full version of Acrobat, double-clicking it will result in the creation and execution of the VBScript worm file (Peach.vbs, Peach.vbe, or Peach.wsf [depending of the version of the worm]).

This VBScript file creates a GIF image named PEACH.JPG and attempts to open it. As this filename contains the wrong extension, a broken image may appear in your browser/image viewer. The image is supposed to display where the real peach is located, "LINE 1,picture 6". The worm checks for the presence of a registry key before proceeding. If this key is present the script quits, otherwise it creates it:

HKLM\Software\OUTLOOK.PDFWorm\

The script then scans for the location of the infectious .PDF file on the hard drive and uses that path when mailing itself out from the infected machine. Email addresses are gathered from all of the email messages found in the Microsoft Outlook Mail Items folders (Inbox, Sent Items, etc), as well as the Contacts folder. A new email message is created as described above and the first 100 recipients found are BCCed to the message before it is sent.

Symptoms

- Display of a PDF document containg the text: "You have one minute to find the peach!"
- Presence of the file PEACH.JPG in the WINDOWS TEMP directory
- Acrobat users may see this warning message:

Method of Infection

This is the first known virus to use Adobe Acrobat and .PDF files as a method of propagation. It is embedded inside a .PDF document and uses functionality of the full version of Acrobat to extract and execute files.

Removal

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• OUTLOOK.PDFWorm

• VBS.PDFWorm.A (AVX)

• VBS.PeachyPDF@mm (NAV)

Characteristics

Characteristics -

This mass-mailing worm is embedded inside a .PDF file. However, as it requires the full version of Adobe Acrobat (ver 5 or higher) in order to propagate, it is unlikely to become wide spread. Having just the Acrobat reader will not spread the worm. VBS/PeachyPDF@MM arrives in an email message containing random information. Below is a list of strings that are chosen at random to make up the various parts of the message

Subject:
May start with: "Fw: "
May contain: "You have one minute to find the peach", or "Find the peach", or "Find", or "Peach", or "Joke"
May end with: "!", or "> "

Body:
May start with: "> "
May contain: "Try finding the peach", or "Try this", or "Interesting search", or "I don't usually send this things, but...", or any one of the subject lines
May end with: "!", or " :-)", or " :)", or " =)", or " :-]"

Attachment: "find.pdf ", or "peach.pdf", or "find the peach.pdf", or "find_the_peach.pdf", or "joke.pdf", or "search.pdf"

Opening the attached .PDF file will display a document which reads, "You have one minute to find the peach!". A collogue containing images of naked female buttocks is displayed, one of which is actually the image of a peach. An icon entitled, "Double click the icon to show the solution" is also present. If the user has only the Acrobat Reader, this icon is disabled. If the user has the full version of Acrobat, double-clicking it will result in the creation and execution of the VBScript worm file (Peach.vbs, Peach.vbe, or Peach.wsf [depending of the version of the worm]).

This VBScript file creates a GIF image named PEACH.JPG and attempts to open it. As this filename contains the wrong extension, a broken image may appear in your browser/image viewer. The image is supposed to display where the real peach is located, "LINE 1,picture 6". The worm checks for the presence of a registry key before proceeding. If this key is present the script quits, otherwise it creates it:

HKLM\Software\OUTLOOK.PDFWorm\

The script then scans for the location of the infectious .PDF file on the hard drive and uses that path when mailing itself out from the infected machine. Email addresses are gathered from all of the email messages found in the Microsoft Outlook Mail Items folders (Inbox, Sent Items, etc), as well as the Contacts folder. A new email message is created as described above and the first 100 recipients found are BCCed to the message before it is sent.

Symptoms

Symptoms -

- Display of a PDF document containg the text: "You have one minute to find the peach!"
- Presence of the file PEACH.JPG in the WINDOWS TEMP directory
- Acrobat users may see this warning message:

Method of Infection

Method of Infection -

This is the first known virus to use Adobe Acrobat and .PDF files as a method of propagation. It is embedded inside a .PDF document and uses functionality of the full version of Acrobat to extract and execute files.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Variants

Variants -

N/A