Outlook 03/07 crash with phishing messages

[Dee]

Hello! We have about 20 out of a couple hundred users (and climbing) who
suddenly started having this problem last week. We're upgrading everyone to
2007, but are only about half way done. Either way, the problem is whenever
anyone received one of the 'you've received a greeting!' spams, Outlook
crashes (2003 and 2007). I tested from my home e-mail, and yep, it crashes
unless I take out the link. It's normally flagged as a virus (Zhelatin), but
sometime is quarantined, and sometimes not. We use Exchange, everyone uses
Cached Exchange Mode, and we have McAfee antivirus 8.5.0i, patch 1.

Outlook 2003 users get a runtime error:
Microsoft Visual C++ Runtime Library
Program: C:\Program Files\Microsoft Office\Office11\Outlook.exe
This program has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

Outlook 2007 get an error report box and the following in the application
event log:
Faulting application outlook.exe, version 12.0.6023.5000, stamp 46574050,
faulting module kernel32.dll, version 5.1.2600.3119, stamp 46239bd5, debug?
0, fault address 0x00012a5b.

I haven't found anything on Google, and I'm really not noticing a trend
between these computers. We receive our McAfee updates automatically, but
McAfee tech support had no idea (we were thinking it was the on-delivery
e-mail scan until we figured out the phishing thing was with Outlook). I also
ran a /cleanprofile on one of them, and we thought that maybe recreating the
OST file would do it, but noooope. Also, after Outlook is restarted, all is
well until they receive another one of those messages. Our e-mail scan is
up-to-date on the server, and with kernel32.dll thrown into that error, we're
really thinking it's an Outlook thing. We don't have any third-party add-ons
in Outlook.

Anyone have any ideas? Need more info? =) Thank you!

 

[test]

I get the same error with outlook 2007 but I'm pretty sure it's the Filenet
add-in that
makes it crash.

 

[Dee]

I'm afraid we only have the add-ins that Outlook comes with; nothing extra
save a couple with Adobe PDF.

 

[Brian Tillman]

I'm afraid we only have the add-ins that Outlook comes with; nothing
extra save a couple with Adobe PDF.

The Adobe PDF Maker add-in can cause problems with Outlook.

 

[Dee]

Yes, but out of the 50 or more now that we have (it's growing somehow), only
a couple have that add-in. We disabled that with one of our first users.

Since it's growing, it's starting to point more towards McAfee. Zhelatin was
finally flagged as a virus through McAfee, but I've seen a report of another
person getting a false positive (flags it in Outlook but there's nothing
there). That's happening here, but no other reports of crashes that I've
seen. Ah well, I'll be back here if we determine that's not it. Any more tips
would still help, though.

 

[Trev]

Dee -

Did you ever find a solution to this issue? We are having the same problem.

We are running McAfee Virus Scan 8.0i patch 15 on our desktops. The virus scanner log files show that when a Zhelatin message comes in the Virus Scan program tries to move it to the quarantine folder, but it can't for some reason.

We are able to solve the problem temporarily by deleting the quarantine folder and then either re-creating it manually and/or starting outlook with the /resetfolders command line switch.

This fixes it for a couple of hours, but soon Outlook is crashing again.

I don't know if it has to do with our users using Outlook in cached mode or not. Are your users in cached mode?

It seems to be about 25-40 out of 800+ workstations, so I don't know what the issue could be. All workstations are on the same image, so I don't know why some users are having issues and others are not.

Please let me know if you have a more permanent fix then the above steps.

Thanks!

 

[MaryK]

We are having this problem too. Also on just a few of our workstations --
but climbing. Am guessing McAfee is getting flooded with calls as I can't
get through other than to sit on hold waiting for an operator. Please let me
know if you find a solution. Thanks!

 

[ksalldc]

My company is also seeing this problem. We are running Outlook 2003 in
Cached mode and are using VSE 8.5.0i sp1.

What I cannot figure out is that when one of my computers crashed, I sent
the "postcard" spam message to another computer and the message was caught by
the virus scan and moved to the quarantine folder. The desktops are running
the identical virus scan setup (we use protection pilot) and have the same
engine and dat file, the postcard spam is caught on some computer and is not
on others.

Anyone with a solution?

 

[Luciana]

We are having the same issue here - but with Office 2003 and XP. We use
Exchange Cached Mode also, and the message pops up every time “you’ve
received a post card†message arrives, but not with all users, only a few.
And it happens with Office XP and 2003. It seems that users with admin rights
don’t have the problem – my boss receives “postcards†everyday and they go to
the quarantine folder normally. At first, I've tried from renaming EXTEND.DAT
(I thought it was something similar that happened when I started deploying
the agent) to removing MS Office and reinstalling it again, but the problem
is still there. I’m going to attempt to have McAfee helping us – and I’ll let
you guys know anything.

Thanks!

 

[MaryK]

I finally got through to McAfee and they are working on a solution. Will
update here as soon as I hear from them.

 

[PPP]

We have noticed that if one of those great ecard emails make it through our
filter it causes the error in question. We are using McAfee 8.5.0i.

 

[Trev]

MaryK -

Did they give you any kind of reference or bug number? I also called McAfee support, but the support rep who answered does not acknowledge it's a known issue. I'm going through the troubleshooting steps with him now, but not holding out a lot of hope.

We've started filtering the messages before they reach the users, but it's only got to take a few simple changes in the body or subject line before we start getting hammered again.

Thanks.

 

[Luciana]

After a long chat with Mcafee last night, we've found out that we have
Zhelatin, but the normal scan does not detect it - have no clue why. Anyway,
they sent me the procedures below, and I already did it in one of the
infected computers - and the manual scan DID find one single infected file -
but I cleaned it manually. Now I'm waiting until the user receives another
spam greeting message and see what happens. Let me know if it works with you
guys.

Here is the procedure - per McAfee:
*************************************
Please run a command line scan on your computer as this is a deeper scan as
compared to the normal scan.
Below are instructions for running a complete VirusScan via command line.
Before proceeding, delete all temporary files including files in the temp
folder, temporary Internet files, history, and cookies.
-Create a folder named SCAN in the root of the System Drive (typically C:\).
-Set a Read-Only attribute to the SCAN folder.
-Right-click the scan folder and select Properties.
-Place a checkmark next to Read-only.
-Click OK.
-Download the latest SDATxxxx.exe (where xxxx is the version number) to the
SCAN folder from:
http://www.mcafee.com/apps/downloads/security_updates/superdat.asp?region=us&segment=enterprise
-Restart the computer in Safe Mode Command Prompt Only.
-Type cd\scan
-Type SDATxxxx.EXE /e
-Type SCAN.EXE /clean /Winmem /all /adl /program /unzip /report
[PATH_TO_FOLDER]\report.txt (where [PATH_TO_FOLDER] is the location where
report.txt is to be created)
****IMPORTANT: An error may be displayed which states that an application is
attempting to directly access the hard disk. IGNORE must be clicked to
continue with the scan.
-Restart the computer normally.
-Open report.txt and identify errors or infected files.

If the issue is still unresolved then please submit a sample of the
file(.exe or .dll) which seems to be causing the problem on the following
website:
www.webimmune.net

 

[Dee]

Thank you, Luciana! Unfortunately, I did not find anything. We now have two
problems:

1. False-positives. McAfee (on our Exchange server) is saying a few people
are infected, but the manual scan you posted did not find anything - no
crashing, though!
2. Outlook 03/07 crashing *occasionally* when receiving those e-mails, which
sometimes get flagged, sometimes don't. Manual scan also turned up nothing on
one of the users, although I have another scheduled today. By chance,
Luciana, did your scan actually turn up the Zhelatin virus or did it just
flag a suspicious file?

Our next step, if this scan turns up nothing, is to turn off the On-Delivery
E-mail Scan on a few users to see if this stops the crashing. Unfortunately
this is a bit of a scary idea, and only a temporary one to see if we can
isolate it more. We're also still considering turning off all Outlook
add-ins, but we're sort of doubtful...

Anyone else have any other suggestions? =)

After a long chat with Mcafee last night, we've found out that we have
Zhelatin, but the normal scan does not detect it - have no clue why. Anyway,
they sent me the procedures below, and I already did it in one of the
infected computers - and the manual scan DID find one single infected file -
but I cleaned it manually. Now I'm waiting until the user receives another
spam greeting message and see what happens. Let me know if it works with you
guys.

Here is the procedure - per McAfee:
*************************************
Please run a command line scan on your computer as this is a deeper scan as
compared to the normal scan.
Below are instructions for running a complete VirusScan via command line.
Before proceeding, delete all temporary files including files in the temp
folder, temporary Internet files, history, and cookies.
-Create a folder named SCAN in the root of the System Drive (typically C:\).
-Set a Read-Only attribute to the SCAN folder.
-Right-click the scan folder and select Properties.
-Place a checkmark next to Read-only.
-Click OK.
-Download the latest SDATxxxx.exe (where xxxx is the version number) to the
SCAN folder from:
http://www.mcafee.com/apps/downloads/security_updates/superdat.asp?region=us&segment=enterprise
-Restart the computer in Safe Mode Command Prompt Only.
-Type cd\scan
-Type SDATxxxx.EXE /e
-Type SCAN.EXE /clean /Winmem /all /adl /program /unzip /report
[PATH_TO_FOLDER]\report.txt (where [PATH_TO_FOLDER] is the location where
report.txt is to be created)
****IMPORTANT: An error may be displayed which states that an application is
attempting to directly access the hard disk. IGNORE must be clicked to
continue with the scan.
-Restart the computer normally.
-Open report.txt and identify errors or infected files.

If the issue is still unresolved then please submit a sample of the
file(.exe or .dll) which seems to be causing the problem on the following
website:
www.webimmune.net

 

[Trev]

I didn't find the virus on my system either.

I just talked to a friend who may have gotten the answer from McAfee's Level 3 support though......

They say that they had noticed this issue with the Common Management Agent (CMA) version 3.5.5 and possibly 3.6.0. (My understanding is that this is the McAfee Framework service) They instructed my friend to upgrade to CMA version 3.6.0 patch 1 and then reboot.

After the reboot, my friend restarted outlook with the /resetfolder command line switch and hasn't had an issue since. He's been bombarding the system with forwarded Zhelatin e-mails (that always crashed the system before) and the system still has not errored again.

You can tell if you need to upgrade by checking the version of the following file:

C:\Program Files\McAfee\Common Framework\FrmInst.exe

In should be version 3.6.0.546 after installing CMA 3.6.0 patch 1.

You can get CMA 3.6.0 patch 1 from the McAfee website, but I'm not sure if you must have a support contract to download it or not.

I've upgraded a test system already and am testing myself. Hopefully it works!

 

[Trev]

Still no crashes on my test system after upgrading to CMA version 3.6.0 patch 1. I've been bombarding the system with postcards for more then a day and it's still good to go.

I'm fixed.

Thank you all for the ideas/suggestions posted here.

 

[Cola]

It's so upset, i meet this issue as well. Who got the solution?

 

[Roady [MVP]]

You didn't quote the issue. Use the body to specify your configuration and
clarify your request.