Word flaw opens door to Trojan horse

A new malicious program--dubbed "Goga"--takes advantage of a month-old flaw in Microsoft Word to potentially steal and upload log-in and password information.

A month-old flaw in Microsoft Word has opened up PCs to attack by a new Trojan horse, antivirus researchers said Thursday. Dubbed "Goga," the malicious code poses as a Word document saved in rich text format but actually reaches through the Net to run a Word macro--a small program that runs within the application--saved on a Russian Web site.

"While this is not a danger to the general public, it could be a danger to somebody if there is a direct mailing to them," said Jimmy Kuo, a researcher at security software maker Network Associates.

The Trojan horse appears as text file in the rich text format, or RTF, attached to an email, according to British antivirus software company Kaspersky Labs, which first found the malicious program.

When opened, the RTF file will link back to a Word template file on a Russian Web site. The file contains a macro, which will steal and upload information regarding the victim's log-in and password to the guest book of a second site. An investigation of that site found only one record of any information, indicating the Trojan horse is not widespread.

By using a macro saved in a template hosted on another computer, the Trojan horse is able to fool Windows into letting the macro run, rather than flagging it as potentially dangerous code.

Outlined in a Microsoft advisory a month ago, the technique bypasses normal Windows security against such malicious programs.

"Normally, you could hit someone very easily only if their security settings were low," Kuo said. "By using this technique, you can bypass the security level."

Kuo stressed that Goga doesn't appear to be a worm or a virus, as it doesn't spread from computer to computer. He added, however, that the code does show that consumers can't trust attachments.

"There is no safe way to assume what" an e-mail attachment really is, he said.