Windows help system uses a HELPFILE.CNT file as table of contents metafile for creating HELPFILE.GID which is needed to view table of contents for HELPFILE.HLP. If you delete previously created HELPFILE.GID and edit HELPFILE.CNT, you can change a topic action to run an executable instead of viewing help for that topic. When victim user uses help system and chooses the infected topic, help system runs an executable from path. Example: - Delete C:\Program Files\Microsoft Office\Office\WDMAIN8.GID (kill winhlp32.exe process if necessary) - Edit C:\Program Files\Microsoft Office\Office\WDMAIN8.CNT which is a text file. You should change the line which has something like: 3 Word 97 new features=woidxWhatsNewInMicrosoftWord97at_private>REF to read: 3 Word 97 new features=!EF("CMD.EXE","",1) - Run WinWord and select Help|Contents from menubar. - Find topic "Word 97 new features" and select it. - You should see CMD.EXE to run. BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer size is ~256 bytes. I think it triggers when the created .GID file is opened. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:17:43 PDT