Outlook and Outlook Express

This page will hopefully clarify some of the noted confusion about the ability of Outlook and Outlook Express to interact with worms and viruses. In many ways it's a shame that Microsoft had to name the programs with such similar names. With different names the confusion that currently seems to exist would not.

Despite the similar names, Outlook and Outlook Express are two different programs with two different development histories.

The Outlook E-mail client was designed as a replacement for the mail clients MS Exchange and MS Mail. Basically, it's a shoehorn of an Internet mail client into the proprietary MS Mail/Exchange clients.

Outlook Express was a rewrite and expansion of the Internet Email and News client that came with early Internet Explorer browsers (version 3 at least, not certain about version 2).

While Outlook 97 is a full OLE (MS Automation) client and server it did not make methods for accessing the address book and sending mail available to external users (the external user was assumed to know the address it wanted to send mail to). Apparently finding this too restrictive, Microsoft, in Outlook 98, made these interfaces available to external users to work with (i.e., the external user no longer needed to know an E-mail address, they could use addresses stored by Outlook). It's this change that makes it possible for Outlook 98 (and later) to be used by virus/worm authors to do their E-mail tasks for them.

There presently does not appear to be a way to use the Visual Basic Application language tools built into Outlook for macro virus purposes (as you can with Word and Excel) but future changes may allow this.

Outlook Express, unlike Outlook, does not presently make any of its mail routines available to MS Automation (at least in all present shipping versions--who knows what the future may bring).

So, in general, when you see a worm/virus description talk about "Outlook" you can generally assume it means the Outlook program and not the Outlook Express program.

But, as with everything, there is at least one (and in the future more?) caveat. The KAK worm specifically targets Outlook Express by changing the default signature to one containing JavaScript code that acts as a worm. (This is a special case where it appears the worm author was trying to "infect" a program that was not supposed to be able to be infected.)