[NT] VBA Workaround for Automatic Execution

From: support@securiteam.com
Date: 03/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 23 Mar 2002 18:23:27 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  VBA Workaround for Automatic Execution
------------------------------------------------------------------------

SUMMARY

As we reported in our previous article:
<http://www.securiteam.com/windowsntfocus/5AP0L0U6LW.html> How Outlook
2002 Can Still Execute JavaScript in an HTML Email Message, a security
vulnerability in the Outlook allows email to automatically execute
arbitrary attachments. The following VBA script can be used to detect
possibly malicious emails by looking for certain types of HTML tags that
might be used in a malicious way.

DETAILS

The security holes in Outlook 2002 inspire to do some checking before
mails can be opened.

Outlook 2002 provides the feature to start a VBA subroutine in the Rules
Wizard. The last rule should be a rule that checks all new email and
passes it to the procedure listed below. The procedure scans the body of
the mail for suspicious words if the mail has an HTML format. If the mail
is found to be suspicious, it is 'flattened', so that is can safely be
read. The email is also moved to a subfolder of Inbox named 'Virus', if
this folder exists.

Code:
Public Sub TestMail(opMail As MailItem)
  Dim slBody As String

  If opMail.BodyFormat <> olFormatPlain Then
    slBody = opMail.HTMLBody
    If Contains(slBody, "<object", "<script", "<vbscript", _
      "createobject", "clsid:", "<iframe", "<frame", "cid:", _
      "about:", "javascript:") Then

      'highly suspicious!
      'flatten it
      opMail.BodyFormat = olFormatPlain
      opMail.Body = "SUSPICIOUS MAIL!" & vbCrLf & vbCrLf & slBody

      'move to 'virus' folder, if this folder exists
      On Error Resume Next
      opMail.Move Application.GetNamespace("MAPI"). _
        GetDefaultFolder(olFolderInbox).Folders("virus")
    End If
  End If
End Sub

Private Function Contains(spBody, ParamArray spText() As Variant) As
Boolean
  Dim slText As Variant

  For Each slText In spText()
    If InStr(spBody, slText) Then
      Contains = True
      Exit For
    End If
  Next
End Function

To activate the rule and the procedure, follow these steps.
 
1) In Outlook 2002, Press Alt-F11. You will see the Visual Basic designer.

2) From Menu "insert" choose "module". An empty window displaying the
module appears.
3) Paste the first part of the code in the new module.
4) Now open the "Project Explorer" window if this is not opened yet.
(Press Ctrl-R).
5) Expand the tree until you see "ThisOutlookSession".
6) Double-click on ThisOutlookSession. A window displaying the code in
this module (if any) appears.
7) Paste the second part of code in this module.
8) Close the Visual Basic designer
9) Choose "Rules Wizard" from menu "Extra"
10) Press "new..."
11) Select the second option "Begin with empty rule"
12) Select in the list "Check message when they arrive" (this is already
selected, probably)
13) Choose "Next"
14) Choose "Next" again, you will be asked if you really mean to apply
this rule to all incoming messages, which is actually what you want, so
press "yes"
15) Scroll the list down until you find "Run a script" (it is the third
from below in my Outlook). Select this option by checking the checkbox.
16) Now click the underlined words "a script" in the "Description" area.
17) Select the subroutine "TestMail" (probably something like
Project1.vTestMail) and click "OK"
18) Choose "Next"
19) Choose "Next" again
20) Fill in a name for the rule, you might use something like "anti-virus"

21) Make sure the rule is active (the second checkbox should be checked).
22) Press "Finish".
23) Now the rule should appear in the rules wizard.
24) If there are more rules, this rule should run as the last rule. Select
the rule and press "Move down" until the rule is on bottom of the list.
25) Press OK, and you're ready

The intelligent reader already has wondered about the 'workaround' that is
implemented in the code. The workaround is needed because Outlook has the
feature that when Outlook is started for the first time in a Windows
session, when a rule is executed the VBA code has totally disappeared!
This workaround seems to solve it.

ADDITIONAL INFORMATION

The information has been provided by <mailto:agricola@CHRISCOM.NL>
Agricola.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.