Stealth executables (clarified)

[griffinb () HOTKEY NET AU (Brad Griffin)]

Hi all.
I had a query concerning the copy of the article I posted concerning
stealth executables.
It concerned the way in which a macro virus could be passed using an RTF
file. Here is part of my reply (thanks to Michael for prompting me to
clarify):

Hi all (no PGP sig, new mail client)
I recently posted an article to a mailing list concerning the way the
elissa macro virus can hide in RTF files. Actually, I sent a copy of an
article that was on the 'Langalist'.
I had a query as to how a macro virus could be executed under an RTF
document.
Here is part of my reply:

RTF files cannot contain macro code, or should I say,
cannot execute macro code. However, there are macro viruses (Melissa
variants included) that will force a file to be saved as a Word DOC
even though the user attempts to save as an RTF file. This file will
have the extension RTF, but retain all the properties of a DOC file.
When this file is sent to an unsuspecting user via email, and they
'double click' on the file, MS Word will attempt to open it. As the
Word program recognises the file by its properties, not the extension,
it will open it as a Word document and execute the virus code.
A workaround would be to open the document with Notepad. If it is a
true RTF file it will appear as ASCII text with {\rtf at the head of
the document. If it is a DOC file, it will show as binary 'mush'.
I won't rant about the importance of having correctly configured and
updated anti-virus software. Nor will I harp on about virus checking
and rejecting of files received by 'unknowns' via email.
Cheers,

**********************
Brad Griffin
Infotech undergrad & email addict
CQU, Rockhampton Aust.
Useful links:
http://www.avp.ru
http://www.pgpi.org
http://spamcop.net
***********************