http://www.kaspersky.com/news.asp?tnews=0&nview=1&id=199&page=0 # # Thursday, June 14, 2001 # # Malicious Code in RTF Files: Yet another Prediction Comes True # # A Trojan program penetrates computers when reading RTF files # # Kaspersky Lab, an international data-security software-development # company, warns users about the discovery of the Trojan "Goga" # that steals and sends out from infected computers user details # for Internet access (i.e. login, password and other information). # Kaspersky Lab has already received several reports of the Trojan # being detected "in the wild." # # "Goga" has two distinguishing features: the first is that it # utilizes files in RTF format as a means for spreading, confusing # users in as much as they believe these files to be absolutely # safe, often opening them without first administering an anti-virus # check. The second is that the Trojan exploits a well-known breach # in the Microsoft Word security system, allowing a malefactor # to launch a malicious code, unbeknownst to a user, immediately # following the opening of an infected document. # # Breach hyperlink: # # http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/... # # Should a computer not be installed with the proper patch thwarting # this breach, then when the infected RTF file is read, MS Word # automatically downloads a template containing the malicious # macro-program from a remote Web site without any warning # whatsoever. This macro-program extracts additional utility from # the RTF file?s binary section. This utility searches the infected # computer and creates another TXT file containing user Internet # access details. At this point, "Goga" starts up the script program # that publishes the newely created TXT file in a Web-site guest # book open to the general public. The virus writer is now able # to periodically cull stolen information from this site. # # Kaspersky Lab warned users about falling prey to this RTF-file # danger on May 29. We once again recommend that users install # the MS Word patch defending against this Trojan and any other # malicious programs exploiting this breach ASAP. # # Detection and removal procedures have already been added # to the Kaspersky Anti-Virus database daily update.