LHRIC > Technical Services > Virus Alert

	TECHNICAL SERVICES
	home \| search \| contact \| Virus Central
	Providing timely, reliable & cost-effective technical support

Virus Central - Detailed

Virus Information
Name:	VBS/PeachyPDF@MM
Aliases:	OUTLOOK.PDFWorm, VBS.PDFWorm.A (AVX), VBS.PeachyPDF@mm (NAV)
Type:	Virus
Discovery Date:	08/07/2001
Detection:	- Display of a PDF document containg the text: "You have one minute to find the peach!" - Presence of the file PEACH.JPG in the WINDOWS TEMP directory - Acrobat users may see this warning message:

Virus Description:	This mass-mailing worm is embedded inside a .PDF file. However, as it requires the full version of Adobe Acrobat (ver 5 or higher) in order to propagate, it is unlikely to become wide spread. Having just the Acrobat reader will not spread the worm. VBS/PeachyPDF@MM arrives in an email message containing random information. Below is a list of strings that are chosen at random to make up the various parts of the message. This is the first known virus to use Adobe Acrobat and .PDF files as a method of propagation. It is embedded inside a .PDF document and uses functionality of the full version of Acrobat to extract and execute files.
E-mail Subject:	May start with: "Fw: " May contain: "You have one minute to find the peach", or "Find the peach", or "Find", or "Peach", or "Joke" May end with: "!", or "> "
E-mail Body:	May start with: "> " May contain: "Try finding the peach", or "Try this", or "Interesting search", or "I don't usually send this things, but...", or any one of the subject lines May end with: "!", or " :-)", or " :)", or " =)", or " :-]"
Attachment:	Attachment: "find.pdf ", or "peach.pdf", or "find the peach.pdf", or "find_the_peach.pdf", or "joke.pdf", or "search.pdf"

Virus Effects:

Opening the attached .PDF file will display a document which reads, "You have one minute to find the peach!". A collogue containing images of naked female buttocks is displayed, one of which is actually the image of a peach. An icon entitled, "Double click the icon to show the solution" is also present. If the user has only the Acrobat Reader, this icon is disabled. If the user has the full version of Acrobat, double-clicking it will result in the creation and execution of the VBScript worm file (Peach.vbs, Peach.vbe, or Peach.wsf [depending of the version of the worm]).

This VBScript file creates a GIF image named PEACH.JPG and attempts to open it. As this filename contains the wrong extension, a broken image may appear in your browser/image viewer. The image is supposed to display where the real peach is located, "LINE 1,picture 6". The worm checks for the presence of a registry key before proceeding. If this key is present the script quits, otherwise it creates it:

HKLM\Software\OUTLOOK.PDFWorm\

The script then scans for the location of the infectious .PDF file on the hard drive and uses that path when mailing itself out from the infected machine. Email addresses are gathered from all of the email messages found in the Microsoft Outlook Mail Items folders (Inbox, Sent Items, etc), as well as the Contacts folder. A new email message is created as described above and the first 100 recipients found are BCCed to the message before it is sent.

Removal Instructions:

Use specified engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.