Viruses can involve Microsoft Outlook in several
A user opens a virus-infected attachment received via an
Outlook e-mail message. Because this
is the most common way viruses spread, many system
certain attachments at the server or use the
Outlook Email Security Update to block
such attachments at the client.
Messages exploiting certain vulnerabilities in
HTML mail can force a malicious file attachment to run even if
the user only views it in the preview pane or opens the message.
Getting the latest patches for Internet Explorer provides
Because of Outlook's easy-to-use programming model,
viruses can propagate themselves by reading the Outlook address
books and sending new virus-infected messages to everyone found
there. However, virus developers seem to be aware of the
new security provisions in Outlook, because the latest viruses
have included their own SMTP engine to send messages, thus
avoiding Outlook's security prompts.
This page provides information on how to protect
your computer from Outlook-related viruses.
the "!0000 with no email address" technique: The message circulating
that you can protect against email-borne viruses by adding a contact
with the name "!0000" and no email address or your own
email address is a hoax. The technique
does not protect you. For one thing, adding a contact with no email
address ensures that the contact does not appear in the Outlook
Address Book at all, so the virus would never see it. Adding your
own address just means you'll get a copy of whatever message the
virus sends -- if it uses the address book. However, viruses
don't need to bother with address books. Some of the latest
harvest addresses from other sources on your system, such as cached
web pages. See
trick (or !0000 trick) to confuse viruses/worms for more
Outlook Client Protection
| Scanning for File Attachments
| Confirming File Transmissions | Other Tools | More Information
Outlook Client Protection
To protect your machine from becoming infected with a virus
received via Microsoft Outlook, you should:
the latest service packs and updates for your version of Outlook
Outlook 2002 -- Service Pack 3
Outlook 2000 -- Service Pack 3 (note
potential problems for Internet Mail Only users) for greatest
protection. If you do not want the
Outlook E-mail Security Update, then
at least install Office
2000 Service Release 1/1a.
Outlook 98 --
Outlook E-mail Security Update (see
additional information below) for greatest protection. If you do not
want the full security update, then at least install the
Attachment Security Update .
Outlook 97 --
Service Release 2 plus the
Outlook 97 Email Attachment Security Update
Update Outlook, Internet Explorer, and other Windows components
Update Internet Explorer to a
"safe" version with all the latest HTML vulnerability updates.Install additional updates that
protect against HTML mail exploits. Install a patch for Media Player 7 to protect Outlook from a denial of
service attack via a rich-text format message. See
Patch Available for OCX Attachment Vulnerability.
Tighten e-mail attachment security
Block additional file types by adding extensions to the
Consider installing the Outlook E-mail Security Update.
We do not recommend this patch for all systems. Do not install
it unless you read the documentation and understand what it will
do to your add-ins.
If you install the Outlook E-mail Security Update, you may also
want to install these updates that depend on it:
If you use both Outlook 2000 and Word
2000, install the Word 2000 SR-1 Update Mail Command Security
to block possible unauthorized sending of messages through the
plain text or HTML WordMail or "Office envelope"
If you use Outlook 2000, install
the Microsoft Outlook CDO Security Update
to apply the same level of security to the Collaboration Data
Objects programming interface.
If you use Outlook 98 and need to restore CDO for use by
forms or applications, install
the Microsoft Outlook CDO Security Update.
.eml attachments. See
Not Restrict Access to EML Attachments.
If you choose not to install the Outlook E-mail Security Update,
take these steps:
Install the Attachment
Security Update for Outlook 97 or Outlook 98 or install Office
2000 Service Release 1/1a (SR1). SR1 includes a
feature to extend
attachment security protection to any type of file. If you are using Outlook 98 or Outlook 2000, increase the
security for HTML mail by following these
additional steps to control the security
zone for Outlook messages:
ActiveX Controls and plugins
- Use Tools | Options |
Security to set the security zone for Outlook HTML mail to
- Click the Zone Settings button, then
- Select Custom, and then click the Settings button.
- On the Security Settings dialog box, choose Disable for
all options under these headings:
may also want to tighten scripting even in the Restricted Sites
Outlook Does Not Restrict Access to EML Attachments.
- Click OK three times to save the updated security
See Scanning for File Attachments
for more ideas on tightening e-mail attachment security.
Practice good anti-virus safety
Never open a file attachment that you did not expect to
receive.Install an anti-virus
program, keep it updated and scan all attached files before
opening them. Remember that an anti-virus program may not
protect you against the very latest viruses. It
may only be as good as your last update.
Other optional protection ideas
You may want to tighten the ability of
Windows Script Host to run scripts on
your system.On Outlook 98 and 2000, you may also
want to use Chilton
Preview, rather than the built-in preview pane, because
Chilton Preview does not support HTML mail and, therefore, does
not leave you vulnerable to a malicious HTML mail message.
You can use VBA code in Outlook 2000 or 2002 to convert all
incoming HTML messages to either rich text or plain text. See
To convert incoming HTML
messages to Outlook Rich Text or plain text format.
Configure Outlook 2003 to display all messages in plain
text. Tools, Options, Preferences, E-mail Options and check the
box to Read all standard mail in plain text.
the Microsoft Personal
Security Advisor to check for issues with permissions,
hotfixes and other possible security vulnerabilities.
Scanning for File Attachments
Instead of blocking certain file attachments, you may want to
look at these methods of controlling what happens to attachments.
The Outlook Rules Wizard (and other automatic
processing tools) can move all messages containing file
attachments for a separate folder for later review.ExLife and CaSaveAtt from Ornic
can extract attachments from incoming items and save them
separately as system files, where your virus scanner can examine
them.With Outlook 2000, you can write code to move incoming
messages containing file attachments with certain extensions (.vbs,
.exe, etc.) to a separate folder for later review. See To quarantine application file attachments with Microsoft Outlook 2000 VBA
for sample code.
is an Outlook 2000 COM addin that notifies users of script file
attachments in the Inbox
Also, make sure you know what type of file is actually attached.
Some viruses use a double file extension, such as .jpg.vbs. If
Windows is set not to show the extension for known file types, the
recipient will see the attachment listed as a harmless .jpg file,
not a potentially dangerous .vbs file. The solution is to use
Tools | Folder Options or View | Options, depending on your Windows
version, to change the setting to show extensions for all files.
Confirming File Transmissions
If you are concerned about viruses that use Outlook to propagate,
you may want to require confirmation of all outgoing messages that
contain file attachments. For a code sample, see:
To require confirmation when sending file attachments (Microsoft Outlook 2000 VBA)
Another approach is to set up Outlook not to send mail
automatically. For Exchange Server users, this means setting up
offline folders, working offline and synchronizing periodically. For
Internet mail users, the exact settings depends on your version of
Outlook, mode and Internet connection type, but you'll generally
find the right options in Tools | Services, Tools |
Accounts or Tools | Options.
however, that the latest viruses include their own SMTP engine for
sending mail, so these techniques may not actually block virus
versions of Outlook provide a way to filter largish incoming
messages. See Download
limits to combat Swen for details on this anti-virus tip.
If you want to provide protection at the server level, as
well as on the client, these tools can help:
Content Control Tools
-- attachment filtering, among other techniques
Other miscellaneous tools:
||Blocks .vbs, .exe and other
executable files from being launched from inside Outlook or
other e-mail programs. You can still save the attachment and
launch it from the file system. Reduces the risk of a virus
spreading via e-mail by monitoring all attempts by external
programs to generate mail.
||Free tool to scan the Windows registry and either reset the
registry entry for applications so that Internet Explorer or
Outlook prompts you to Open or Save As a file or give you a
list of file types and their current setting.
||An alternative to Microsoft's
Outlook E-mail Security Update, this tool prevents the
spread of e-mail borne viruses by controlling the ability of
other applications to access Outlook. Works with all
versions of Outlook. Requires Windows NT or Windows 2000.
Outlook 2000 and 2002 COM add-in that works much like our
ZapHTML code, stripping
HTML content as a user switches from one message to another.
Note that Outlook 2002 SP-1 has a
ScreenMail for Outlook
||Removes active components, such
as scripts, and closes known Internet Explorer vulnerabilities
in HTML messages. Scans all attachments with any anti-virus
tool available on the client. (Ships with the Reflex Sherlock
anti-virus scanner.) Displays a special warning when
executable files are found. Scans signed and encrypted
Tool to strip HTML content and manage read receipts in incoming
Monitor and screen potentially harmful attachments, including
.exe files. See
ZoneAlarm Pro MailSafe for more information. Also controls
Internet access by programs, such as viruses with their own SMTP
to configure Outlook to block additional attachment file name
Viruses Affecting Microsoft Outlook
OL2000: Security Zones in Outlook 2000
Description of Internet Explorer Security Zones Registry Entries
Active is Active Content in Email? (NTBugTraq)
to "A Viral Survival Checklist" (Exchange Administrator)
Microsoft ActiveX controls dangerous? (The Register)
Protection for Messaging -- Microsoft online seminar
Email Security Testing Zone -- sends harmless messages to your
computer to test various email vulnerabilities
Top 20 Vulnerabilities -- Outlook is #8 on the Windows list