Anyone know if Rich Text Format files are capable of carrying viruses or
not.
I ask as I know a lot of people exchange files in this format instead of
.DOC
I've noticed that F-PROT scans .RTF files by default
If they are infectable in theory, are there any actual viruses in existance
which exploit this?
Thanx

Krip Tick at address kript...@kriptick.freeserve.co.uk said...

.RTF (Rich Text Files) files do not contain macro's and are safe.
Many products virus scan .RTF files since the extension is
meaningless to the contents of the file. It's possible to save Word
documents with a extension of .RTF and it's NOT a Rich Text File.

Yuri.
--
=============================================
Central Command Inc.    AntiViral Toolkit Pro
http://www.avp.com              sa...@avp.com
        Virus Protection Specialists
 -> Free Evaluation Software on Web Site <-
=============================================

Cheers, that was quick.  I can see that so I guess to receive an UNSOLICITED
.RTF file would be potentially dodgy. But it would be ok for a group of
friends to regularly exchange .RTF files only amongst themselves?

If you were sure that they were proper Rich Text Format documents then yes I
would say it was okay to exchange files. If these were trusted friends then
its probably okay to exchange files in any format. Of course, while it is
all well and good to say that you trust your friends, and they trust you,
all this means is that you would not knowingly pass on something dodgy. Its
still a good idea to use an up to date A-V scanner for any files you receive
from any source.
Regards
Robert Moir
=@==@==@==@==@==@==@==@==@==@==@==@==@==@==@==@=
Robert Moir, Microsoft MVP
My Homepage - members.xoom.com/Robert_Moir
aka AS-Angel-Robert in MS V-Chat
AS homepage - members.tripod.com/~AngelSociety
MS Chat products - www.microsoft.com/ie/chat
=@==@==@==@==@==@==@==@==@==@==@==@==@==@==@==@=

[snip]

A quick tip from my experience dealing with samples forwarded to
vsample@drsolomon:

- we received a fair number of suspect .rtf files that actually were either
.exe files (in their file format and executed as such (often AOL trojans))
or proper Word (.doc/.dot) files that were just saved with an .rtf
extension.

Best bet: install and maintain a good on-access scanner (preferably scanning
'all files' as they are either read or executed) so that files, if they are
viruses or .exe trojans, are intercepted before they are executed - whatever
their advertised extension.

Jem
Bridge Data Security Consultants Ltd

(p.s. in case of possible 'snake-oil' alerts from various posters suffering
from acute cases of paranoia and/or posters who potentially alienate their
potential corporate customers by their rude, unprofessional attidude and
speech, let me add as a disclaimer that I _used_ to work at vsample@, but
now no longer work at the desk)

: If you were sure that they were proper Rich Text Format documents then yes I
: would say it was okay to exchange files.

Sure. But the only way to be absolutely sure is to check docs by eye,
e.g. with a text editor.

: If these were trusted friends then
: its probably okay to exchange files in any format.

Except that it's not only a matter of trusting their motives, but
their knowledge of virus issues and the quality and currency of their
virus scanning. A high proportion of computer users are infected
(inadvertantly) by people they trust. I know you know this, Robert:
I'm just trying to clarify.

: Of course, while it is
: all well and good to say that you trust your friends, and they trust you,
: all this means is that you would not knowingly pass on something dodgy. Its
: still a good idea to use an up to date A-V scanner for any files you receive
: from any source.

Agreed totally.

--
David Harley                  |              alt.comp.virus FAQ
D.Har...@icrf.icnet.uk        |           & Anti-Virus Web Page
Support & Security Analyst    |    Folk London On-Line gig-list
Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/

In article <MPG.10a52dc264a300a989...@news.supernews.com>, y...@avp.com says...

Wrong.

".RTF" files can be *anything* and if they are, in fact, renamed DOC/DOT
files, Word will *silently* open them as native Word dcoument/template
files **even if you have "Confirm conversion" enabled** and run any
macros they hold.  A file's extension, just like its name bares an
*arbitrary* relationship to its content and format.

The trouble here is that the original poster is confused.  S/he thinks
that ".RTF" files *are* Rich Text Format files.  As I've just explained,
this is false assumption.  It is usually true, but it is not
necessarily true.

So maybe Yuri meant "Rich Text Format files cannot hold macros".  Well,
I'm sorry Yuri, but you are still wrong.  Some time ago, MS added support
for embedded objects to the RTF format.  Word 95 and 97 support this (not
sure about Word 6 and can't easily test right now).  Thus, if you have a
Word DOC in which another Word DOC is embedded (it will normally appear
as a Word document icon on the page of the main document) and you save
the main document in RTF format, Word encodes (part of) the binary of
the embedded DOC file into the resulting RTF file.  The bad news for Yuri
is that if the embedded document has a macro virus, it will be preserved
in this process and if the RTF is sent to soemone who has on-access AV
s/w, the AV might trigger when the recipient double-clicks the icon
representing the embedded DOC file, as Word then "decodes" it to a
temporary file.  (Fortunately, in tests with a Concept infected embedee,
it appears that although the viral macros are still present, Word does
not run them when dis-embedding documents like this, so you won't become
infected unless you choose to manually dis-embed the (infected) DOC to a
separate file and open that.

Indeed.

Worse however, some viruses (like WM/Cap) usurp the Save As function so
as to ensure that certain (or all) non-Word formats are actually saved
as document format but with the extension "appropriate" to the user's
chosen format.  This has seen Cap continue to spread swiftly and well in
environments where a policy of "only exchange RTF files between
ourselves and 'outside organizations'" has been strictly enforced.

A better solution than setting your on-access scanner to "scan all
files" is to look for products that do "smart file typing" on-the-fly.
These will quickly determine that FRED.RTF is actually a DOC (if it is)
and, if so, scan it as appropriate.

--
Nick FitzGerald
Editor, Virus Bulletin

It's obvious now but it never occured to me that Word would do that.
Presumably using .WRI format could also be flawed for the same reason if
Word was associated with such files instead of Wordpad. I guess the safest
way to recommend exchanging stuff whilst maintaining formats & layout is cut
& paste from Wordpad.

I can see that but the situation I was referring to was trusted but easily
infectable (from outside) friends passing RTFs between just themselves.

The original reason I asked all this was that I'm involved in the
environmental movement in which there are quite a few viruses circulating,
Wazzu, Cap & a few boot viruses, nothing nasty I've found..., YET. They
spread easily in the movement because information is copied & passed around
a lot & most of the people involved are very untechnical & are much too
focused on campaigning to ever get round to understanding how not to get
infected. All of the existing documentation on viruses that I've come across
is partially incomprehensible to people who often have never even learned
what the term "boot" or "BIOS" means for instance. So I've had to write my
own beginners tutorial on viruses hence I want to be sure of getting all my
facts straight before someone shoots me down.

Sounds sensible, so which packages do this?

Krip Tick heeft geschreven in bericht
<71ic91$dk...@newsreader2.core.theplanet.net>...

Solomon's has a 'scan all OLE files' option ; it will scan all macro's
regardless of the extention....NAi scans for .RTF, but I gather they will
change that. As for the other packages, guys, jump in any time...

Marcel

Set the "check all files" option in InVircible Interceptor, and it will
check all extensions for macros. No need for a text editor.

Regards, Zvi
---------------------------------------------------------------------
NetZ Computing Ltd. Israel  Developer & Producer of InVircible & ResQ
Download Sofware, Support, Online Registration: http://InVircible.com
US Mirror: http://www.NetZComp.com Personal e-mail: n...@actcom.co.il
Voice +972 3 938 6868, +972 52 494 017 (cellular) Fax +972 3 938 6869
---------------------------------------------------------------------

Why not just say that you can check all files in whichever your preferred
A-V package is. Its not as if Invircible is offering somthing unique here

Robert Moir, Microsoft MVP
My Homepage - members.xoom.com/Robert_Moir
=@==@==@==@==@==@==@==@==@==@==@==@==@==@==@==@=

Yes, You can have the infected MS Office File been written in RTF foramt. The
RTF file will carry the Macro Viruses inside and then be activated when you use
the MS Office to open the RTF file again.
alexalicelillianleo

Since IVI, the InVircible on-the-fly interceptor is unique, then yes,
InVircible is offering something unique here.

Also more practical, compared to on-demand scanning of all files with a
scanner.

Regards, Zvi
---------------------------------------------------------------------
NetZ Computing Ltd. Israel  Developer & Producer of InVircible & ResQ
Download Sofware, Support, Online Registration: http://InVircible.com
US Mirror: http://www.NetZComp.com Personal e-mail: n...@actcom.co.il
Voice +972 3 938 6868, +972 52 494 017 (cellular) Fax +972 3 938 6869
---------------------------------------------------------------------

"Krip Tick" <kript...@kriptick.freeserve.co.uk>:

Some viruses (including some widespread ones) will cause you to save files
in the normal DOC format even though you specifically choose to save in RTF
format from the saving options. The extension still stays as RTF to hide
this.

When you click on a "RTF" file like that, it will be opened to Word and the
macros will execute. Bummer.

--
    Mikko Hermanni Hyppönen - Mikko.Hyppo...@DataFellows.com
      Data Fellows Group, PL 24, FIN-02231 Espoo, Finland
        Telephone +358 9 859 900, fax +358 9 8599 0599
          http://www.DataFellows.com/staff/hermanni/

[snip]

I meant something unique that also added value to the situation. My
apologies, Zvi, I should of made myself clearer.

Leaving aside the debate as to the viability of invircible vs. the
traditional scanners, im still unsure as to how scanning all files with one
product rather than another is better or unique from the users point of
view.. it might work different under the interface, but i suspect the
original poster does not give a stuff about how the solution works as long
as it does.

Robert Moir, Microsoft MVP
My Homepage - members.xoom.com/Robert_Moir
=@==@==@==@==@==@==@==@==@==@==@==@==@==@==@==@=