Asp guest book script

An anti-virus company say that at least one hacker has released rogue code that takes advantage of a recently uncovered security hole in Microsoft Word's handling of rich text format (RTF) documents.

Until now, an RTF exploitation that does an end run around Microsoft's built-in checks for potentially malicious Word macros has been theoretical. But Moscow-based Kaspersky Lab said today that it has found a Trojan in the wild that does just that.

Kaspersky says that it has received several reports of the new Trojan, labeled "Goga," which is invited into unsuspecting users' computers by RTF documents opened in the Word program. Once hunkered down on a PC, Goga collects information about the user's Internet accounts and relays it to a location where the Trojan's creator might receive it.

Other anti-virus companies contacted by Newsbytes say they have yet to see Goga in the wild. A spokesperson at Central Command said experts there have looked at Goga in their lab, but have had no reports from users who have found the Trojan on their own systems.

Central Command and Kaspersky both pointed out that Microsoft Corp. [NASDAQ:MSFT] alerted users to the RTF security problem last month and released patches for the Macintosh and Windows versions of its Word software.

Microsoft Word can alert users when a document they are about to open contains macros - scripts which automate Word tasks and which also have access to system resources of the PCs on which they execute. However, the security hole reported last month allows a Word template file containing macros to be loaded without such checks if that file is linked to from an RTF document. The linked template document can even reside on a remote Web site.

Kaspersky said Goga exploits that weakness in unpatched versions of Word by using an RTF file as the loader for a macro-packing template located on a Web site.

Once up and running, the macro code in the Word template extracts a binary executable from the original RTF file, Kaspersky said. That code then searches the infected computer for Internet-account logon and password information, storing it in a text file. Goga then launches a script that posts the contents of the text file in the "guest book" of a Web site open to the public.

Presumably, the hacker who created the program can then retrieve the information from the public site anonymously.

Microsoft's information on the RTF security hold and the Word patches can be founder here: http://www.microsoft.com/technet/security/bulletin/MS01-028.asp

Kaspersky Lab is here: http://www.kaspersky.com/ .

Central Command is here: http://www.centralcommand.com/ .

Reported by Newsbytes.com, http://www.newsbytes.com .

14:05 CST

(20010614/Press contact: Denis Zenkin, Kaspersky, +7 095-948-5650 /WIRES ONLINE, LEGAL, PC/)

COPYRIGHT 2001 Newsbytes News Network
COPYRIGHT 2001 Gale Group