Viruses on Windows documents executed in Linux
Just wondering.... If a M$ Word document has a virus and it is copied into a /home directory on linux. Then the file is opened and saved as a OpenOffice.org file ie its file association is changed from .doc to .sxw The document is then needed for a M$ Office user and is therefore opened and saved as a .doc file and transferred to the M$ user. Would the virus still exist in the file? If so how? Are there ways to use OO to eradicate document viruses? -- The wondering Little Helper ======================================================================== Hylton Conacher - Linux user # 229959 at http://counter.li.org Currently using SuSE 9.0 Professional with KDE 3.1 Licenced Windows user ========================================================================
Would the virus still exist in the file? If so how? Are there ways to use OO to eradicate document viruses?
While I'd say it might depend on the virus and where it was written and how, I'd have to say that I would assume the virus would still exist. Just because you rename a file doesn't change what is in the file. If the virus code happened to get in the way of star office or whatever you were using then they might perhaps remove the code but its unlikely as they would most like complain about having an invalid file if they detected a problem somewhere. Naming the file back would just again change the name and the binary information inside the file would still exist. I'm not that knowledgeable about Word macro viruses so I can't be of much more help. Sorry, glenn
Note that he said that he would first save it in OO's native format. I would be surprised if the virus could survive this. Claus
While I'd say it might depend on the virus and where it was written and how, I'd have to say that I would assume the virus would still exist. Just because you rename a file doesn't change what is in the file. If the virus code happened to get in the way of star office or whatever you were using then they might perhaps remove the code but its unlikely as they would most like complain about having an invalid file if they detected a problem somewhere.
Naming the file back would just again change the name and the binary information inside the file would still exist. I'm not that knowledgeable about Word macro viruses so I can't be of much more help.
Sorry,
glenn
-- Claus Wilke Keck Graduate Institute, 535 Watson Drive, Claremont CA 91711 Tel.: 909 607 0139, Fax: 909 607 9826 wilke@kgi.edu
Claus Wilke wrote:
Note that he said that he would first save it in OO's native format. I would be surprised if the virus could survive this.
Claus
While I'd say it might depend on the virus and where it was written and how, I'd have to say that I would assume the virus would still exist. Just because you rename a file doesn't change what is in the file. If the virus code happened to get in the way of star office or whatever you were using then they might perhaps remove the code but its unlikely as they would most like complain about having an invalid file if they detected a problem somewhere.
Naming the file back would just again change the name and the binary information inside the file would still exist. I'm not that knowledgeable about Word macro viruses so I can't be of much more help.
Sorry,
glenn
Way back in the days of StarOffice 5.2, a colleague sent me a word doc attached that was virus infected, I just couldn't get it to open in SO52, whereas colleagues using Word on Windows were infected. Regards Sid. -- Sid Boyce .... Hamradio G3VBV and keen Flyer =====LINUX ONLY USED HERE=====
On Thu, 2004-07-22 at 16:00, Glenn Hancock wrote:
Would the virus still exist in the file? If so how? Are there ways to use OO to eradicate document viruses?
While I'd say it might depend on the virus and where it was written and how, I'd have to say that I would assume the virus would still exist. Just because you rename a file doesn't change what is in the file. If the virus code happened to get in the way of star office or whatever you were using then they might perhaps remove the code but its unlikely as they would most like complain about having an invalid file if they detected a problem somewhere.
Naming the file back would just again change the name and the binary information inside the file would still exist. I'm not that knowledgeable about Word macro viruses so I can't be of much more help.
I think this depends on how embedded the virus is, and what kind of filtering happens on importing the file from MS. Problem is like you I'm in the dark on this one. I'd assume an import, clean up any bad looking sections of file, save native format, exit OOo, reenter OOo open, export would probably help. OTOH one could virus scan it with FOSS tools. Mike -- thinking this is the hard way of riding .DOC files of virii
If your concerned check the OO discussion list archive.
CWSIV
On Thu, 22 Jul 2004 15:39:06 -0700 Claus Wilke
Note that he said that he would first save it in OO's native format. I would be surprised if the virus could survive this.
Claus
While I'd say it might depend on the virus and where it was written and how, I'd have to say that I would assume the virus would still exist. Just because you rename a file doesn't change what is in the file. If the virus code happened to get in the way of star office or whatever you were using then they might perhaps remove the code but its unlikely as they would most like complain about having an invalid file if they detected a problem somewhere. c
________________________________________________________________ The best thing to hit the Internet in years - Juno SpeedBand! Surf the Web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today!
"Hylton Conacher (ZR1HPC)"
Would the virus still exist in the file? If so how? Are there ways to use OO to eradicate document viruses?
The only possible viruses in a document would be macro viruses and AFAIK OOo doesn't convert macros. So the answer would be 'no'. Philipp
Philipp Thomas
The only possible viruses in a document would be macro viruses and AFAIK OOo doesn't convert macros.
A multimedia file may cause a buffer overflow which can be used to activate a virus embedded there. In this case, the virus would survive the conversion from MS-Word to OOo and back since multimedia files (JPEG images, sounds, ...) included in office documents are not converted. Holes in image processing libraries were reported but I've never heard about a virus which uses them so this possibility is rather theoretical. -- A.M.
Alexandr Malusek wrote:
Philipp Thomas
writes: The only possible viruses in a document would be macro viruses and AFAIK OOo doesn't convert macros.
A multimedia file may cause a buffer overflow which can be used to activate a virus embedded there. In this case, the virus would survive the conversion from MS-Word to OOo and back since multimedia files (JPEG images, sounds, ...) included in office documents are not converted.
Holes in image processing libraries were reported but I've never heard about a virus which uses them so this possibility is rather theoretical.
-- A.M.
As mentioned here before, I've had one experience of an infected word document which would not open under Linux and StarOffice 5.2. It has been reported once that someone noticed that a worm would affect Wine/crossover, I also experienced a case where worms in Lotus Notes emails under crossover had queued up to mail everyone in my address book, what made me curious was that opening those mails was very slow, I was able to kill the outgoing mail and delete the problem emails. Whenever I do a new install, I get libsafe installed globally to stop buffer overflows from doing their nasties. Every binary has a LD_PRELOAD of libsafe, e.g:- barrabas:/usr/src/linux-2.6.8-rc2 # ldd /usr/bin/grep /lib/libsafe.so.2 => /lib/libsafe.so.2 (0x40019000) linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/tls/libc.so.6 (0x40040000) libdl.so.2 => /lib/libdl.so.2 (0x40155000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) SuSE 9.1 and Mandrake 10.0 currently. Connectiva has libsafe by default. SuSE's reaction to the first version of libsafe was not favourable, the then reason given was that it did not stop all buffer overflows and format strings, but I thought that some protection was better than none. Later versions included many improvements and seem more worthy of inclusion than the likes of subfs. Regards Sid. -- Sid Boyce .... Hamradio G3VBV and keen Flyer =====LINUX ONLY USED HERE=====
Philipp Thomas wrote:
"Hylton Conacher (ZR1HPC)"
[22 Jul 2004 11:32]: Would the virus still exist in the file? If so how? Are there ways to use OO to eradicate document viruses?
The only possible viruses in a document would be macro viruses and AFAIK OOo doesn't convert macros. So the answer would be 'no'.
Philipp The main reason I ask is that I recently installed an older windows drive holding many documents that were possibly infected with virii on my linux system. As I do Windows training I invariably need to send my students M$ documents.
With the import of the older Windows data, I am sitting with some folders that only have OO.org files in them and some that have a combination of the three file types (native M$, native OO.org and Secondary M$ files ie those OO.org files re-saved into M$ format for customers). Hence the question regarding the spreading of virii. Whilst I realize Word macros are not converted, but does that mean they are rendered in-operable on a windows machine if saved twice ie to OO.org and then again to M$ format before being emailed to a M$ user? -- The Little Helper ======================================================================== Hylton Conacher - Linux user # 229959 at http://counter.li.org Currently using SuSE 9.0 Professional with KDE 3.1 Licenced Windows user ========================================================================
"Hylton Conacher (ZR1HPC)" [Sat, 24 Jul 2004 17:00:21 +0200]:
but does that mean they are rendered in-operable on a windows machine if saved twice ie to OO.org and then again to M$ format before being emailed to a M$ user?
Now that's a question I can't answer. I'd say, just test it yourself :) Write a simple Word macro, attach that to a document and see if it survives the transition word->OO.org->word. Philipp
Hylton Conacher (ZR1HPC) wrote:
Hence the question regarding the spreading of virii. Whilst I realize Word macros are not converted, but does that mean they are rendered in-operable on a windows machine if saved twice ie to OO.org and then again to M$ format before being emailed to a M$ user?
Have a look under Tools > Options Load/Save in OO. There are options (at least in StarOffice) that allow you to choose whether or not VBA macros are preserved when you save a file. The best way I can think of to test this is to write a macro in Excel, save and reopen with OO and see if it's still there with the VBA editor. -- JDL
participants (9)
-
Alexandr Malusek
-
Carl William Spitzer IV
-
Claus Wilke
-
Glenn Hancock
-
Hylton Conacher (ZR1HPC)
-
John Lamb
-
Mike McMullin
-
Philipp Thomas
-
Sid Boyce