SLAM4.012: Rich Text Format Infection by KidChaos/SLAM
Rich Text Format Infection
By Kid Chaos [SLAM]
DISCLAIMER
This is not a technical article, only a brief comment about RTF. If you're a newbie in macro stuff then you will understand this easily! ;)
INTRODUCTION
When you run an Antivirus, it usually uses (without scanning All Files, just the Program Files) the following extensions to search for Word macroviruses:
- .DOC (Word document)
- .DOT (Word template)
But a few antiviruses search for this extension too:
- .RTF (Rich Text Format)
If a RTF file has been infected by a macrovirus then if you run an Antivirus and search for viruses without the "all files" option enabled, maybe your AV will not search the .RTF extension and, of course, it won't be able to detect the macrovirus. I've tested many Antivirus programs and i was very surprised because most of them do NOT search for the .RTF extension.
WTF is RTF? ;-)
RTF (Rich Text Format) is a form of encoding various text formats, document structures, and document properties. It uses the printable ASCII character set. Special characters can be also be thus encoded, although RTF does not prevent the utilization of character codes outside the ASCII printable set. It enables programs to export an ASCII file containing text and format information combined. The exported information can be read by any other program, like Micro$ux Word, which allows you to import RTF format files.
for example a RTF file can keep these features:
- Bold
- Italic
- Underline
- Strikeout
- Text colors
- Font size
The following is a dump of a sample of RTF file (created with M$-Word):
==============================FILENAME.RTF============================
{\rtf1\ansi \deff4\deflang1033{\fonttbl{\f4\froman\fcharset0\fprq2 Times
New Roman;}{\f24\fswiss\fcharset0\fprq2 Arial black;}}{\colortbl;\red0\
green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\
blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\
red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\
green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\
blue0;\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{\
widctlpar \f4\fs20 \snext0 Normal;}{\*\cs10 \additive Default Paragraph
Font;}}{\info{\author Kid Chaos}{\operator Kid Chaos}{\creatim\yr1997\mo12\
dy18\hr8\min45}{\revtim\yr1997\mo12\dy18\hr8\min46}{\version1}{\edmins1}
{\nofpages1}{\nofwords2}{\nofchars14}{\*\SLAM SLAM}{\vern57431}}\widowctrl\
ftnbj\aenddoc\formshade \fet0\sectd\linex0\headery709\footery709\colsx709\
endnhere{\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\
pnseclvl2\pnucltr\pnstart1\pnindent720\pnhang{\pntxta.}}{\*\pnseclvl3\pndec\
pnstart1\pnindent720\pnhang{\pntxta.}}{\*\pnseclvl4\pnlcltr\pnstart1\
pnindent720\pnhang{\pntxta)}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\
pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl6\pnlcltr\pnstart1\pnindent720\
pnhang{\pntxtb (}{\pntxta)}}{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\
pnhang{\pntxtb (}{\pntxta)}}{\*\pnseclvl8\pnlcltr\pnstart1\pnindent720\
pnhang{\pntxtb (}{\pntxta)}}{\*\pnseclvl9\pnlcrm\pnstart1\pnindent720\
pnhang{\pntxtb (}{\pntxta )}}\pard\plain \qc\widctlpar \f4\fs20
{\b\i\f24\fs32\cf2 RTF infection by KID CHAOS for SLAM#4 ;-)\par }}
=============================EOF FILENAME.RTF==========================INFECTION PART
Now, for see how a RTF file has been infected by a macrovirus you need:
- A RTF document (you can create one with your WordPad or WinWord or with your favorite word processor. Use the "Save As..." option, and select: "Rich Text Format"
- if you use WinWord to create a RTF file, be sure that your M$-Word's global template is free macros else your RTF isn't clean. Just delete the NORMAL.DOT before you run WinWord.
- Micro$uck Word (use M$-Word english version or your native language version: French, dutch, italian, polish, etc.)
- A piece of WordBasic code which Save the current document as template.
example:
Macro: AutoOpen
Sub Main
...... ' ur code ;)
FileSaveAs .Format = 1 ' convert to template
Macrocopy ..... 'copy your macro
End Sub
Of course you can use another way of WordBasic like Organizer, only you need to save the file as Template (remember in Word a document=0, a Template=1)
If you have the tree conditions then open the RTF document which M$-Word infected already. When you open/close the RTF file , it is infected and converted in Word template by effect of the macrovirus, only the format is converted, the extension is the same RTF.
Filename.RTF
+--------------+
! !
Before Infection----------> ! RTF !
! document !
! !
+--------------+
Filename.RTF
+--------------+
! !
After Infection-----------> ! Word !
! template !
! !
+--------------+
Of course the RTF structure is missing and has been replaced by Word Template structure.
Well, you can see now, the only process is the code that converts the RTF to template. Open the document like binary file with your EDIT.EXE for windoze 95 and you will see just Word Streams.
FINAL NOTE
Well, now run your antivirus and search without "all files" option the .RTF file infected. If the AV can't detect anything then you can easily send infected Word documents to people which usa the same Antivirus as yourself. You only have to rename the infected Word document:
Filename.DOC ---> Filename.RTF
Btw, if an Aver reads this article then he will include the .RTF extension in the search extension by default. Else many people are going to send e-mails with .RTF files infected (or renamed Word Documents to RTF) in the attachment. :-P
Regards
Kid Chaos [SLAM]
