Of Worms Old and New

Code Red is back, crashing some servers—even patched ones—that utilize URL redirection. In addition, McAfee.com warns against the "Peachy" worm, which targets users of Adobe's popular PDF file format.

by Thor Olavsrud and Michael Singer of internetnews.com [August 10, 2001]

Anti-virus experts at McAfee.com (NASDAQ:MCAF) say they've discovered a new worm that hides in a PDF file.

The worm called "Peachy" so far affects only users of the full version of the Adobe Acrobat application.

The company's AVERT division says this is the first known worm to use a PDF file infected with a VBS (visual basic script) payload virus that spreads the virus to other PC users.

AVERT experts say the virus does not affect the millions of users of Adobe Systems's (NASDAQ:ADBE) Adobe Reader, the "viewer" tool commonly associated with PDF files. Because of that, experts say the problem is unlikely to become widespread.

"The good news is that it worm is not in the wild, meaning that we haven't received any reports of this affecting customers on a wide scale yet," says McAfee AVERT virus expert April Goosetree. "It's not spreading that fast, but people need to be aware of the attachment files that are coming in their e-mail."

Remember, having just the Acrobat reader will not spread the worm. The VBS/PeachyPDF@MM arrives in an e-mail message containing random information.

So far, Goosetree says there are a few common denominators that all the Peachy-infected e-mails have in common.

The subject line may start with: "Fw: " and may contain: "You have one minute to find the peach", or "Find the peach", or "Find", or "Peach", or "Joke."

The body of the message usually contains the phrase "Try finding the peach", or "Try this", or "Interesting search", or "I don't usually send this things, but..."

Certainly the attachment is called "find.pdf ", or "peach.pdf", or "find the peach.pdf", or "find_the_peach.pdf", or "joke.pdf", or "search.pdf"

You will know you've been affected if you open the attached .PDF file and a pop-up display reads, "You have one minute to find the peach!". A collage containing images of naked female buttocks then comes on the screen, one of which is actually the image of a peach.

An icon entitled, "Double click the icon to show the solution" also seems to be present. If the user has only the Acrobat Reader, this icon is disabled. If the user has the full version of Acrobat, double-clicking it will result in the creation and execution of the VBScript worm file (Peach.vbs, Peach.vbe, or Peach.wsf ) depending of the version of the worm.

McAfee says this VBScript file creates a GIF image named PEACH.JPG and attempts to open it. As this filename contains the wrong extension, a broken image may appear in your browser/image viewer. The image is supposed to display where the real peach is located, "LINE 1,picture 6". The worm checks for the presence of a registry key before proceeding. If this key is present the script quits, otherwise it creates it:

HKLMSoftwareOUTLOOK.PDFWorm

The script then scans the infected hard drive and uses that path when mailing itself out from the infected machine. E-mail addresses are gathered from all of the e-mail messages found in the Microsoft Outlook Mail Items folders (Inbox, Sent Items, etc), as well as the Contacts folder. A new e-mail message is created and the first 100 recipients found are BCCed to the message before it is sent.

To fix the problem, McAfee says its customers can download a patch, but suggests filtering out .vbs (Visual Basic Script) attachments from e-mail servers.

AVERT also recommends using common sense. If you receive a e-mail attachment that you weren't expecting or you don't know the sender, you should either scan for viruses or delete it.

Meanwhile, back at the White House
The Code Red worm is rearing its ugly head again, crashing some servers even though they have been patched against the buffer overflow the worm exploits.

Reports have been filtering in that servers running Microsoft Windows NT 4.0 and Microsoft's IIS 4.0 Web server software, and which also utilize URL redirection, are prone to crashing due to the worm. This particular problem does not affect patched versions of IIS 5.0 Windows 2000. Machines running Windows NT 4.0 or Windows 2000 and unpatched versions of IIS 4.0 or 5.0, are vulnerable to the worm.

However, in this case, the crashes occur due to the fact that when IIS 4.0 is set to redirect URLs it will accept any URL, leaving it vulnerable to an overflow that crashes IIS.

According to a Microsoft IIS Technical Support staffer posting to a message board, Microsoft is working on a fix but it is not yet ready. Currently, the only solution to the problem is to remove all redirected IIS Web sites and URLs from the server, apply the patches Microsoft issued in June, and reboot the server.

"Removing the [.ida] script mappings will not avoid all the problems if you are running IIS 4.0," the staffer posted. "Removing the redirections is currently the best solution (this is in addition to installing the fix or removing the script mappings)."

Code Red first appeared in July and was discovered by eEye Digital Security. At the time, eEye said the worm was similar to the sadmind/IIS worm that propagated near the end of the U.S.-China hacker skirmishes in May.

The worm exploits a well-known hole in IIS for which Microsoft published a patch in June.

Code Red appears to propagate on a cyclical basis, and some officials, particularly Ronald Dick, head of the Federal Bureau of Investigation's National Infrastructure Protection Center, have predicted that there is a good chance the worm will continue to spread on a periodic basis.

The patch for Windows NT 4.0 is available here, and the patch for Windows 2000 Professional, Server and Advanced Server is available here.

—End