Vulnerability Development mailing list archives
Stealth executables (clarified)
From: griffinb () HOTKEY NET AU (Brad Griffin)
Date: Thu, 28 Oct 1999 11:00:58 +1000
Hi all. I had a query concerning the copy of the article I posted concerning stealth executables. It concerned the way in which a macro virus could be passed using an RTF file. Here is part of my reply (thanks to Michael for prompting me to clarify): Hi all (no PGP sig, new mail client) I recently posted an article to a mailing list concerning the way the elissa macro virus can hide in RTF files. Actually, I sent a copy of an article that was on the 'Langalist'. I had a query as to how a macro virus could be executed under an RTF document. Here is part of my reply: RTF files cannot contain macro code, or should I say, cannot execute macro code. However, there are macro viruses (Melissa variants included) that will force a file to be saved as a Word DOC even though the user attempts to save as an RTF file. This file will have the extension RTF, but retain all the properties of a DOC file. When this file is sent to an unsuspecting user via email, and they 'double click' on the file, MS Word will attempt to open it. As the Word program recognises the file by its properties, not the extension, it will open it as a Word document and execute the virus code. A workaround would be to open the document with Notepad. If it is a true RTF file it will appear as ASCII text with {\rtf at the head of the document. If it is a DOC file, it will show as binary 'mush'. I won't rant about the importance of having correctly configured and updated anti-virus software. Nor will I harp on about virus checking and rejecting of files received by 'unknowns' via email. Cheers, ********************** Brad Griffin Infotech undergrad & email addict CQU, Rockhampton Aust. Useful links: http://www.avp.ru http://www.pgpi.org http://spamcop.net ***********************
Current thread:
- Re: Accessing IE/Netscape incomming data, (continued)
- Re: Accessing IE/Netscape incomming data Alan Cox (Oct 26)
- Re: Accessing IE/Netscape incomming data Trevor Schroeder (Oct 26)
- Re: Accessing IE/Netscape incomming data CyberPsychotic (Oct 26)
- AIM 3.0 Paul Keefer (Oct 28)
- Re: AIM 3.0 Aviram Jenik (Oct 28)
- Re: AIM 3.0 Blue Boar (Oct 30)
- Re: AIM 3.0 Daniel Reed (Oct 30)
- Re: AIM 3.0 Robert A. Seace (Oct 30)
- Re: AIM 3.0 Usman (Oct 31)
- Re: AIM 3.0 esl (Oct 31)
- Re: Accessing IE/Netscape incomming data Trevor Schroeder (Oct 26)
- Re: Accessing IE/Netscape incomming data Alan Cox (Oct 26)
- Stealth executables (clarified) Brad Griffin (Oct 27)
- Re: linux userland ip spoofing vulnerability CyberPsychotic (Oct 26)
- Re: linux userland ip spoofing vulnerability Simple Nomad (Oct 27)
- Re: linux userland ip spoofing vulnerability Alan Cox (Oct 27)
- Re: linux userland ip spoofing vulnerability dave (Oct 27)