COMMAND

    GID

SYSTEMS AFFECTED

    WinNT 4

PROBLEM

    Pauli  Ojanpera  found  following.   Windows  help  system  uses a
    HELPFILE.CNT  file  as  table  of  contents  metafile for creating
    HELPFILE.GID  which  is  needed  to  view  table  of  contents for
    HELPFILE.HLP.  If you  delete previously created HELPFILE.GID  and
    edit  HELPFILE.CNT,  you  can  change  a  topic  action  to run an
    executable instead of  viewing help for  that topic.   When victim
    user uses help system and chooses the infected topic, help  system
    runs an executable from path.  Example:

    - Delete  C:\Program  Files\Microsoft    Office\Office\WDMAIN8.GID
      (kill winhlp32.exe process if necessary)
    - Edit C:\Program Files\Microsoft Office\Office\WDMAIN8.CNT  which
      is a text file.  You should change the line which has  something
      like:

         3 Word 97 new features=woidxWhatsNewInMicrosoftWord97@wdnew8.hlp>REF

      to read:

         3 Word 97 new features=!EF("CMD.EXE","",1)

    - Run WinWord and select Help|Contents from menubar.
    - Find topic "Word 97 new features" and select it.
    - You should see CMD.EXE to run.

SOLUTION

    You don't have to delete the .gid file for this to happen - it  is
    just an index for the find feature.  .hlp and .cnt files can  both
    be used in a  number of ways to  make system calls and  to execute
    arbitrary binaries,  as well  as call  into DLLs.   If you  have a
    multi-user system, you need to secure all .hlp and .cnt files  the
    same as you would .exe files.  If you're worried about .gid files,
    open the associated .hlp file, choose 'find', create the database,
    and then secure it.