[Avcheck] Re: a way to circumvent checks by AVP

Juri Haberland haberland@altus.de
Thu, 25 Jul 2002 18:12:22 +0200 

Michael Tokarev wrote:
> Juri Haberland wrote:


> So let me ask: *why* those should be detected inside rtf?  (btw, I don't
> know how you embed .exe into rtf?  As a "picture"?  As OLE object?  Hmm...).
> Why those should be detected when embedded into .doc file and sent via
> normal mail agent (without that famous winmail.dat crap)?

The point is the following:
If you use Outlook, there is an option to choose the mail format:
- HTML
- RTF
- plain text

If you choose RTF and try to attache a file (via the menu, something
like -> Insert -> File) it is embedded into the RTF document (presumably
as an OLE object).

> Or, let's go other way around:  after you embed such crap into email,
> what steps should be done on receiving side to actually execute the
> code to be infected?  Is it as easy as just opening a message (as most
> iframe worms with unpatched outgluck)?  Or by double-clicking some
> icon/button?  Or maybe by double-clicking on an embedded archive to
> lunch some .zip shell and clicking on a file inside an archive?
> I guess that some more advanced steps should be done instead...
> (I hope you got an idea - it shouldn't be easy task to be infected,
> some expirience will be required for this...)

The receiving side is assumed to also use Outlook. If they don't, all
that they see is an attachement named winmail.dat which contains the RTF
with all stuff included.
_If_ the receiving side actually uses Outlook, they see a normal mail
with an icon for the attached file that they can double-click to open it.

>> Not good, not good.
>> Maybe it's time to switch to Dr.Web...
> 
> Send it to me first.  I guess DrWeb will too not detect this (who knows,
> but that's my guess).  And if so, I think it will be right.
> 
> (Sending it to me just may serve as a test for drweb, since I
> will not able to open such attachments anyway.  At least, no
> harm could be done for me on linux... ).

I'll do so tomorrow, if you still want.

Cheers,
Juri

-- 
  If each of us have one object, and we exchange them,
     then each of us still has one object.
  If each of us have one idea,   and we exchange them,
     then each of us now has two ideas.