Exchange Messaging Outlook
Volume 5, Number 13

• Exchange 5.5 Service Pack 4 
• Navidad and BleBla viruses 
• Learning Exchange -- 12 weeks or 2?

Navidad and BleBla viruses

Don't let your guard down with respect to Outlook viruses. Among the latest ones making the rounds is one that runs automatically when you open an HTML-format message.

Navidad -- known as TROJ_NAVIDAD.A, W32/Navidad@M, or W32/Navidad -- is a fairly typical .exe attachment virus. If you don't run it, you don't get infected. If you do get infected, then the virus will run whenever you try to start any program that uses an .exe file. It will also send a copy of itself by replying to messages in your Outlook Inbox. Our standard recommendations at http://www.slipstick.com/outlook/antivirus.htm easily protect against this type of virus.

The BleBla virus -- also known as Romeo & Juliet or TROJ_BLEBLA.A -- is a different story. We think it's potentially more dangerous than the anti-virus sites indicate. Why? Because, as far as we know, it's the first virus in the wild to combine several Internet Explorer and Windows vulnerabilities to deliver its payload via an HTML mail message that can launch a malicious .exe file automatically when you open the message.

Here's how BleBla works: It uses Iframe elements in the HTML message to cause its two payload files, MYJULIET.CHM and MYROMEO.EXE, to save into your Windows TEMP folder by way of two different vulnerabilities. One in Iframe was first exposed more than six months ago -- see http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=9474 -- but we were unable to find any patch to fix it. The second, known as the "Cache Bypass" vulnerability was fixed in July. See http://www.microsoft.com/technet/security/bulletin/MS00-046.asp for details

A small script then runs the MYJULIET.CHM file, which in turn launches the MYROMEO.EXE file -- the real payload. If you have Outlook set up to never run scripts in HTML messages, the script never executes -- so you're safe. More on that below.

The third vulnerability is not related directly to Internet Explorer, but to Windows itself. Because the MYJULIET.CHM file has been saved to the user's own TEMP folder, it can execute a shortcut to another file, in this case the MYROMEO.EXE payload file. While there is a patch to prevent HTML Help files (in other words, .chm files) from executing shortcuts on remote systems (see http://www.microsoft.com/technet/security/bulletin/MS00-037.asp), this fix does not keep a .chm file on the local drive from running another file.

All this goes to show that virus writers continue to exploit every weakness they can find. An anti-virus program is only as good as its last update and the heuristics it uses to detect suspected new viruses. Setting Outlook to never allow scripts to run in HTML messages is a key defense against these types of viruses. If you don't know whether you have Outlook set to never run scripts, we urge you to follow these steps to put Outlook in the Restricted Sites zone and make scripts inoperable in that zone:

1. Use Tools | Options | Security to set the security zone for Outlook HTML mail to Restricted Sites. 
2. Click the Zone Settings button, then OK. 
3. Select Custom, and then click the Settings button. 
4. On the Security Settings dialog box, choose Disable for all options under these headings: 
   • ActiveX Controls and plugins 
   • Scripting 
5. Click OK three times to save the updated security settings.

Installing the Outlook Email Security Update also restricts scripts and blocks both .exe and .chm files, so it should offer good protection against BleBla. However, this update is not for everyone, since it also affects the way some key applications run. See http://www.slipstick.com/outlook/esecup.htm for complete details.

Our thanks to Kaspersky Labs in Moscow (http://www.kaspersky.com) for confirming the details of BleBla's behavior. Kaspersky's page on the virus also notes that it seems to have a bug that apparently keeps it from spreading on English-language Windows systems. This may be why it has not propagated further and become a higher-risk virus. Kaspersky also says that Internet Explorer 5.0 SP1, which should have fixed the "Cache Bypass" vulnerability, still was vulnerable to this issue in their tests. Internet Explorer 5.5, on the other hand, did prevent the MYJULIET.CHM file from saving into the TEMP folder.

Learning Exchange -- 12 weeks or 2? 

I read an interesting article recently on "Learning a New Messaging System" at http://www.cnilive.com/marketsite/ms001102.html. Creative Networks, Inc., says their research shows that the average time for administrators, help desk and other support staff to adapt to a new Exchange Server installation is about 12 weeks. Large organizations seem to take longer, CNI says, for a variety of reasons, including all the complexities of migrating from one mail system to another.