.RTF files infectable?
Krip Tick
not.
I ask as I know a lot of people exchange files in this format instead of
.DOC
I've noticed that F-PROT scans .RTF files by default
If they are infectable in theory, are there any actual viruses in existance
which exploit this?
Thanx
Yuri Yanovich
.RTF (Rich Text Files) files do not contain macro's and are safe.
Many products virus scan .RTF files since the extension is
meaningless to the contents of the file. It's possible to save Word
documents with a extension of .RTF and it's NOT a Rich Text File.
Yuri.
--
=============================================
Central Command Inc. AntiViral Toolkit Pro
http://www.avp.com sa...@avp.com
Virus Protection Specialists
-> Free Evaluation Software on Web Site <-
=============================================
Krip Tick
Yuri Yanovich wrote in message ...
>Krip Tick at address krip...@kriptick.freeserve.co.uk said...
>> Anyone know if Rich Text Format files are capable of carrying viruses or
>> not.
>> I ask as I know a lot of people exchange files in this format instead of
>> .DOC
>> I've noticed that F-PROT scans .RTF files by default
>> If they are infectable in theory, are there any actual viruses in
existance
>> which exploit this?
>> Thanx
>
>.RTF (Rich Text Files) files do not contain macro's and are safe.
>Many products virus scan .RTF files since the extension is
>meaningless to the contents of the file. It's possible to save Word
>documents with a extension of .RTF and it's NOT a Rich Text File.
>
>Yuri.
Cheers, that was quick. I can see that so I guess to receive an UNSOLICITED
.RTF file would be potentially dodgy. But it would be ok for a group of
friends to regularly exchange .RTF files only amongst themselves?
Robert Moir
would say it was okay to exchange files. If these were trusted friends then
its probably okay to exchange files in any format. Of course, while it is
all well and good to say that you trust your friends, and they trust you,
all this means is that you would not knowingly pass on something dodgy. Its
still a good idea to use an up to date A-V scanner for any files you receive
from any source.
Regards
Robert Moir
=@==@==@==@==@==@==@==@==@==@==@==@==@==@==@==@=
Robert Moir, Microsoft MVP
My Homepage - members.xoom.com/Robert_Moir
aka AS-Angel-Robert in MS V-Chat
AS homepage - members.tripod.com/~AngelSociety
MS Chat products - www.microsoft.com/ie/chat
=@==@==@==@==@==@==@==@==@==@==@==@==@==@==@==@=
Krip Tick wrote in message <71fono$g3u$1...@newsreader1.core.theplanet.net>...
[snip]
Jeremy Brooks
vsample@drsolomon:
- we received a fair number of suspect .rtf files that actually were either
.exe files (in their file format and executed as such (often AOL trojans))
or proper Word (.doc/.dot) files that were just saved with an .rtf
extension.
Best bet: install and maintain a good on-access scanner (preferably scanning
'all files' as they are either read or executed) so that files, if they are
viruses or .exe trojans, are intercepted before they are executed - whatever
their advertised extension.
Jem
Bridge Data Security Consultants Ltd
(p.s. in case of possible 'snake-oil' alerts from various posters suffering
from acute cases of paranoia and/or posters who potentially alienate their
potential corporate customers by their rude, unprofessional attidude and
speech, let me add as a disclaimer that I _used_ to work at vsample@, but
now no longer work at the desk)
Krip Tick wrote in message <71fnh1$f5m$1...@newsreader1.core.theplanet.net>...
David Harley
: If you were sure that they were proper Rich Text Format documents then yes I
: would say it was okay to exchange files.
Sure. But the only way to be absolutely sure is to check docs by eye,
e.g. with a text editor.
: If these were trusted friends then
: its probably okay to exchange files in any format.
Except that it's not only a matter of trusting their motives, but
their knowledge of virus issues and the quality and currency of their
virus scanning. A high proportion of computer users are infected
(inadvertantly) by people they trust. I know you know this, Robert:
I'm just trying to clarify.
: Of course, while it is
: all well and good to say that you trust your friends, and they trust you,
: all this means is that you would not knowingly pass on something dodgy. Its
: still a good idea to use an up to date A-V scanner for any files you receive
: from any source.
Agreed totally.
--
David Harley | alt.comp.virus FAQ
D.Ha...@icrf.icnet.uk | & Anti-Virus Web Page
Support & Security Analyst | Folk London On-Line gig-list
Imperial Cancer Research Fund | http://webworlds.co.uk/dharley/
Nick FitzGerald
>Krip Tick at address krip...@kriptick.freeserve.co.uk said...
>> Anyone know if Rich Text Format files are capable of carrying viruses or
>> not.
>> I ask as I know a lot of people exchange files in this format instead of
>> .DOC
>> I've noticed that F-PROT scans .RTF files by default
>> If they are infectable in theory, are there any actual viruses in existance
>> which exploit this?
>> Thanx
>
>.RTF (Rich Text Files) files do not contain macro's and are safe.
Wrong.
".RTF" files can be *anything* and if they are, in fact, renamed DOC/DOT
files, Word will *silently* open them as native Word dcoument/template
files **even if you have "Confirm conversion" enabled** and run any
macros they hold. A file's extension, just like its name bares an
*arbitrary* relationship to its content and format.
The trouble here is that the original poster is confused. S/he thinks
that ".RTF" files *are* Rich Text Format files. As I've just explained,
this is false assumption. It is usually true, but it is not
necessarily true.
So maybe Yuri meant "Rich Text Format files cannot hold macros". Well,
I'm sorry Yuri, but you are still wrong. Some time ago, MS added support
for embedded objects to the RTF format. Word 95 and 97 support this (not
sure about Word 6 and can't easily test right now). Thus, if you have a
Word DOC in which another Word DOC is embedded (it will normally appear
as a Word document icon on the page of the main document) and you save
the main document in RTF format, Word encodes (part of) the binary of
the embedded DOC file into the resulting RTF file. The bad news for Yuri
is that if the embedded document has a macro virus, it will be preserved
in this process and if the RTF is sent to soemone who has on-access AV
s/w, the AV might trigger when the recipient double-clicks the icon
representing the embedded DOC file, as Word then "decodes" it to a
temporary file. (Fortunately, in tests with a Concept infected embedee,
it appears that although the viral macros are still present, Word does
not run them when dis-embedding documents like this, so you won't become
infected unless you choose to manually dis-embed the (infected) DOC to a
separate file and open that.
>Many products virus scan .RTF files since the extension is
>meaningless to the contents of the file. It's possible to save Word
>documents with a extension of .RTF and it's NOT a Rich Text File.
Indeed.
Worse however, some viruses (like WM/Cap) usurp the Save As function so
as to ensure that certain (or all) non-Word formats are actually saved
as document format but with the extension "appropriate" to the user's
chosen format. This has seen Cap continue to spread swiftly and well in
environments where a policy of "only exchange RTF files between
ourselves and 'outside organizations'" has been strictly enforced.
A better solution than setting your on-access scanner to "scan all
files" is to look for products that do "smart file typing" on-the-fly.
These will quickly determine that FRED.RTF is actually a DOC (if it is)
and, if so, scan it as appropriate.
--
Nick FitzGerald
Editor, Virus Bulletin
Krip Tick
Nick FitzGerald wrote in message <71hj0r$23e$1...@elrond.sophos.com>...
>In article <MPG.10a52dc2...@news.supernews.com>, yu...@avp.com
says...
>
>>Krip Tick at address krip...@kriptick.freeserve.co.uk said...
>>> Anyone know if Rich Text Format files are capable of carrying viruses or
>".RTF" files can be *anything* and if they are, in fact, renamed DOC/DOT
>files, Word will *silently* open them as native Word dcoument/template
It's obvious now but it never occured to me that Word would do that.
Presumably using .WRI format could also be flawed for the same reason if
Word was associated with such files instead of Wordpad. I guess the safest
way to recommend exchanging stuff whilst maintaining formats & layout is cut
& paste from Wordpad.
>chosen format. This has seen Cap continue to spread swiftly and well in
>environments where a policy of "only exchange RTF files between
>ourselves and 'outside organizations'" has been strictly enforced.
I can see that but the situation I was referring to was trusted but easily
infectable (from outside) friends passing RTFs between just themselves.
The original reason I asked all this was that I'm involved in the
environmental movement in which there are quite a few viruses circulating,
Wazzu, Cap & a few boot viruses, nothing nasty I've found..., YET. They
spread easily in the movement because information is copied & passed around
a lot & most of the people involved are very untechnical & are much too
focused on campaigning to ever get round to understanding how not to get
infected. All of the existing documentation on viruses that I've come across
is partially incomprehensible to people who often have never even learned
what the term "boot" or "BIOS" means for instance. So I've had to write my
own beginners tutorial on viruses hence I want to be sure of getting all my
facts straight before someone shoots me down.
>
>A better solution than setting your on-access scanner to "scan all
>files" is to look for products that do "smart file typing" on-the-fly.
>These will quickly determine that FRED.RTF is actually a DOC (if it is)
>and, if so, scan it as appropriate.
>
Sounds sensible, so which packages do this?
Dexters Laboratory
<71ic91$dkh$1...@newsreader2.core.theplanet.net>...
>>
>Sounds sensible, so which packages do this?
Solomon's has a 'scan all OLE files' option ; it will scan all macro's
regardless of the extention....NAi scans for .RTF, but I gather they will
change that. As for the other packages, guys, jump in any time...
Marcel
Zvi Netiv
> Robert Moir (as-an...@email.msn.com) wrote:
> : If you were sure that they were proper Rich Text Format documents then yes I
> : would say it was okay to exchange files.
> Sure. But the only way to be absolutely sure is to check docs by eye,
> e.g. with a text editor.
Set the "check all files" option in InVircible Interceptor, and it will
check all extensions for macros. No need for a text editor.
Regards, Zvi
---------------------------------------------------------------------
NetZ Computing Ltd. Israel Developer & Producer of InVircible & ResQ
Download Sofware, Support, Online Registration: http://InVircible.com
US Mirror: http://www.NetZComp.com Personal e-mail: ne...@actcom.co.il
Voice +972 3 938 6868, +972 52 494 017 (cellular) Fax +972 3 938 6869
---------------------------------------------------------------------
Robert Moir
Zvi Netiv wrote in message <363cce88...@news2.new-york.net>...
>har...@europa.lif.icnet.uk (David Harley) wrote:
>
>> Robert Moir (as-an...@email.msn.com) wrote:
>> : If you were sure that they were proper Rich Text Format documents then
yes I
>> : would say it was okay to exchange files.
>
>> Sure. But the only way to be absolutely sure is to check docs by eye,
>> e.g. with a text editor.
>
>Set the "check all files" option in InVircible Interceptor, and it will
>check all extensions for macros. No need for a text editor.
>
Why not just say that you can check all files in whichever your preferred
A-V package is. Its not as if Invircible is offering somthing unique here
Robert Moir, Microsoft MVP
My Homepage - members.xoom.com/Robert_Moir
=@==@==@==@==@==@==@==@==@==@==@==@==@==@==@==@=
AL092193
RTF file will carry the Macro Viruses inside and then be activated when you use
the MS Office to open the RTF file again.
alexalicelillianleo
Zvi Netiv
> >> Sure. But the only way to be absolutely sure is to check docs by eye,
> >> e.g. with a text editor.
> >Set the "check all files" option in InVircible Interceptor, and it will
> >check all extensions for macros. No need for a text editor.
> Why not just say that you can check all files in whichever your preferred
> A-V package is. Its not as if Invircible is offering somthing unique here
Since IVI, the InVircible on-the-fly interceptor is unique, then yes,
InVircible is offering something unique here.
Also more practical, compared to on-demand scanning of all files with a
scanner.
Mikko H. Hypponen
> If they are infectable in theory, are there any actual viruses in existance
> which exploit this?
Some viruses (including some widespread ones) will cause you to save files
in the normal DOC format even though you specifically choose to save in RTF
format from the saving options. The extension still stays as RTF to hide
this.
When you click on a "RTF" file like that, it will be opened to Word and the
macros will execute. Bummer.
--
Mikko Hermanni Hyppönen - Mikko.H...@DataFellows.com
Data Fellows Group, PL 24, FIN-02231 Espoo, Finland
Telephone +358 9 859 900, fax +358 9 8599 0599
http://www.DataFellows.com/staff/hermanni/
Robert Moir
Zvi Netiv wrote in message <363d6962...@news2.new-york.net>...
>"Robert Moir" <as-an...@email.msn.com> wrote:
[snip]
>> >Set the "check all files" option in InVircible Interceptor, and it will
>> >check all extensions for macros. No need for a text editor.
>
>> Why not just say that you can check all files in whichever your preferred
>> A-V package is. Its not as if Invircible is offering somthing unique here
>
>Since IVI, the InVircible on-the-fly interceptor is unique, then yes,
>InVircible is offering something unique here.
>
>Also more practical, compared to on-demand scanning of all files with a
>scanner.
>
>Regards, Zvi
I meant something unique that also added value to the situation. My
apologies, Zvi, I should of made myself clearer.
Leaving aside the debate as to the viability of invircible vs. the
traditional scanners, im still unsure as to how scanning all files with one
product rather than another is better or unique from the users point of
view.. it might work different under the interface, but i suspect the
original poster does not give a stuff about how the solution works as long
as it does.
ucho...@gmail.com
> I ask as I know a lot of people exchange files in this format instead of
> .DOC
> I've noticed that F-PROT scans .RTF files by default
> which exploit this?
Many peoples are saying : > ".RTF FILES IS SECURE 100%"
but they forget to ... Injector of exe or bat (FROM EXE TO RTF)
and then your rtf (NAMED AS .exe create u a virus)
There is way to delete it....
>> 1) Open pc in safe mode...
>> 2) Goto regedit.exe
and there you go it!
microsoft hkey_crml32.exe=988845648789%af84984654%a89498498498%... .rtf!
There is an analysis by Rob Rachwald over on the Imperva Data Security Blog of how an RTF document can carry a virus, in this case a trojan executable. RTF (RIch Text Format) is generally considered safer than the Microsoft Office .DOC format since it cannot include macros; but the vulnerability in this case is in the software that parses the RTF when it is opened in Microsoft Office on Windows or Mac – though in this case the actual payload is Windows-only so would not normally affect Mac users.
Unfortunately this code may run when previewing a document in Outlook, which normally embeds Word, so it is potentially rather damaging.
Rachwald traces how the embedded trojan evades anti-virus, installs itself into the Windows system32 folder, and creates a remote shell application.
It does appear that the vulnerability was patched in November 2010. Still, it is interesting that the insecure code survived in Microsoft Office at least back to Office XP Server Pack 3 in 2004 and probably earlier.
I mention it partly because the analysis is a good read, and partly to highlight the fact that even RTF documents may not be safe.