13Mar 2017

This is indeed a touchy subject for some core Outlook users but also quite a common request from the more casual Outlook users or home users who are familiar with emoji’s in other apps and on webpages.

Even though Outlook doesn’t offer native support for custom and colorful smileys, it is easy to set this up via AutoCorrect. This way, smileys will directly convert from their textual counterpart to an icon of your choice.

In fact, the built-in conversion of :-) to  is also done via AutoCorrect.

New emoji’s in Outlook 2016.

Adding new smileys, icons and logos to AutoCorrect

1. Create a new message.

2. Insert the image or symbol of choice either from disk, the web or from a symbol font such as Wingdings. (See the bottom of this guide for more info on this.)

3. Select the inserted image or symbol.

4. Open the AutoCorrect options dialog;

  • Outlook 2003 and previous (requires Word as your email editor)
    Tools-> AutoCorrect Options…
  • Outlook 2007
    Office logo at the top left corner-> Editor Options-> Proofing-> button AutoCorrect Options…
  • Outlook 2010, Outlook 2013 and Outlook 2016
    File-> Options-> Mail-> button: Spelling and Autocorrect…-> button: AutoCorrect Options…

5. Select the AutoCorrect tab.

6. Type your characters that should convert into this image in the “Replace” field.
For instance :-) or :-P.

7. Verify that the “With” option is set to “Formatted text”. You may not see your image in the box below it (this is a small bug in Outlook).

8. Click the button Add or Replace (in case the entry already exists).

9. In the list below, you’ll now see an entry for your typed characters. The asterisk (*) indicates that it will be replaced with an image.

10. Press OK until you’ve returned to your message.

After you’ve configured the emoticon, the next time that you want to insert it, simply type your emoticon in characters and it will be replaced with your image (you might need to press the Spacebar or ENTER afterwards for it to actually convert).

Via AutoCorrect you can replace Outlook’s dull emoticons will colorful new ones and add new ones of your own as well. (Due to a bug in Outlook/Word the image may not always show in the AutoCorrect dialog.)

Note 1: Outlook doesn’t offer support for animated gifs, but if the message is received by a mail client which does, the gif image will still animate.

Easy access to AutoCorrect options

When setting up your emoticons, quicker access to the AutoCorrect options dialog might be handy in Outlook 2007 and Outlook 2010. For this you can add the command to the Quick Access Toolbar (QAT).

Adding the AutoCorrect Options button to the QAT can significantly speed up the configuration of custom emoticons.

Backup your AutoCorrect entries

Once you’ve configured your custom emoticons, you might want to create a backup of them. To do this, make a copy of your normal.dot (Outlook 2003 and previous) or normalemail.dotm file when Outlook is closed (for Outlook 2003 and previous, Word needs to be closed as well).

You can find the file here;

  • Windows XP
    C:\Documents and Settings\%username%\Application Data\Microsoft\Templates\
  • Windows 10, Windows 8, Windows 7 and Windows Vista 
Source: https://www.msoutlook.info/question/598


27Feb 2017

Ransomware is a type of malware which infects a computer silently and restricts access of the computer for the user. After that, it demands for a ransom to the victim to resume normal operations on the computer.

Ransomware is one of the biggest threats of today. Every year it infects millions of computers and extorts hefty amount of money from the users or the organizations.

Please note that, most of the cases the infection of ransomware begins with carelessness of the user. For example :
  • On visiting an unsafe, untrusted or suspicious looking website, the malware may infect the system.
  • Many a times, a victim first gets an email from untrusted sender with an email attachment and is tricked to click on it. And, on opening the attachment, the malware silently infects the computer.
  • Ransomware may infect a system if the user clicks on any suspicious link in an email or a website, without properly knowing what the link contains.
  • Ransomware may hide itself with some apparently interesting software, on downloading which it infects the computer.
  • Many a times, ransomware infects a computer taking advantage of security vulnerabilities of commonly used software in the computer.


06Dec 2016

Once again, the developers of the Locky Ransomware have decided to change the extension of encrypted files.  This time, the ransomware developers moved away from Norse gods and into Egyptian mythology by using the .osiris extension for encrypted files.

Early this morning, R0bert R0senb0rg tweeted that Locky was now appending the .osiris extension to files encrypted by the ransomware. Later, operations6 tweeted that this campaign is being distributed through Excel email attachments that contain macros to download and install Locky.

Files encrypted with the OSIRIS Locky Ransomware Variant
Files encrypted with the OSIRIS Locky Ransomware Variant


Unfortunately, there is still no way to decrypt Locky encrypted files for free.

Locky OSIRIS variant being distributed via fake Excel Invoices

Thanks to Jiri Kropac, I was able to receive some SPAM emails are being used to spread the OSIRIS Locky ransomware. These emails pretend to be invoices that contain a subject of Invoice Inv[random_numbers] and contain a zip attachment with a name like Invoice_Inv[random_numbers].xls.

Locky OSIRIS Variant SPAM Email
Locky OSIRIS Variant SPAM Email


When the Excel spreadsheet is opened a user will be greeted with a blank sheet that prompt the user to enable macros. An interesting characteristic of this workbook is that the name of the sheet is Лист1, which is Ukrainian for Sheet1. This may indicate the origins of the developers.

Excel Spreadsheet Distributing Locky
Excel Spreadsheet Distributing Locky


When a user enables the macros, a VBA macro will fire that downloads a DLL file and executes it using Rundll32.exe.  You can see a portion of the extracted VBA macro below.

Locky Installer VBA Macro
Locky Installer VBA Macro

Locky installed by Renamed DLL Files

When the VBA macro executes it will download a DLL installer into the %Temp% folder. These DLL files will not have the normal .dll extension, but are renamed with a non-dll extension such as .spe.

 This DLL file will then be executed using the legitimate Windows program called Rundll32.exe in order to install Locky on the computer.
Rundll32.exe installing Locky
Rundll32.exe installing Locky


The Locky DLL I tested was being executed with a command below. Please note that the DLL name and the export being used to install Locky will not be same in all cases.

"C:\Windows\System32\rundll32.exe" %Temp%\shtefans1.spe,plan

Once Locky is installed it will scan the computer for certain file types and encrypt them. When encrypting a file, it will scramble the name and append the .osiris exension. For example, a file called test.jpg could be renamed to 11111111–1111–1111–FC8BB0BA–5FE9D9C2B69A.osiris. The format for this naming scheme is [first_8_chars_of_id]–[next_4_chars_of_id]–[next_4_chars_of_id]–[8_hexadecimal_chars]–[12_hexadecimal_chars].osiris.

When Locky has finished encrypting the files, it will display ransom notes that provide information on how to pay the ransom. The names of these ransom notes have changed for the OSIRIS Locky variant and are now named DesktopOSIRIS.bmp, DesktopOSIRIS.htm, OSIRIS-[4_numbers].htm, and OSIRIS-[4_numbers].htm.

Locky Ransom Note
Locky Ransom Note


An interesting note about the current version being distributed is that there is a small bug in the code that does not name two of the ransom notes correctly. Normally, the %UserpProfile%\DesktopOSIRIS.bmp and %UserProfile%\DesktopOSIRIS.htm would be saved on the victim’s desktop as OSIRIS.bmp and OSIRIS.htm. It seems when the developers changed the filename, they forgot to add a trailing backslash after Desktop, so the files are stored in the %UserProfile% with Desktop prepended to the intended name.

It is not possible to decrypt the Locky Ransomware OSIRIS Variant

Unfortunately, it is still not possible to decrypt .OSIRIS files encrypted by the Locky Ransomware for free.

The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Locky does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason.

By Lawrence Abrams