Worm:Win32/Visal.B

Posted on by

New Threat items known so far

Microsoft Forefront Products

If you are not a MSAV customer contact your AV vendor and work with them to get samples and definitions!

Action Plan

Exchange Server 2007 / 2010

Transport

Depending on the volume of incoming mail you may need to Pause all transport servers so nothing new is coming in

1. Set a Transport Rule to Delete any incoming messages

GUI – from the EMC

Organization Configuration > Hub Transport > Transport Rules

New Transport Rule

Fill out the rule Name and any necessary comments and leave Enable Rule checked

Next

Conditions: When the Subject field contains specific words "Here You Have"

Actions: silently drop the message

click New to create the rule and restart the Transport service

2. Delete messages in the queues

Get-TransportServer | Get-Queue | get-message | where{$_.MessageSubject -eq "Here you have"} | remove-message

Mailbox Cleanup

1. Export and delete virus messages from mailboxes

Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false

** remember to create the target mailbox "VirusMailbox" first **

** hide this target mailbox from the GAL**

2. Preventative Measure – Disable MAPI access

Run syntax to remove MAPI access from all mailboxes in that store:

get-mailboxdatabase <name> | get-mailbox | Getcasmailbox

get-mailboxdatabase <name> | get-mailbox | set-casmailbox -mapienabled $FALSE

Then enable each user as their outbox is cleaned out

Exchange Server 2000/2003

1. Use ExMerge to remove the infected emails from mailboxes

2. Clearing queues

Manual: In E2K3 we can stop the SMTP Service and the do string search in Queue folder for the subject words of virus message, and we can delete it that way.

Automated: We have a Tool to do this in CTS but it is not available externally open a ticket with CTS Exchange Server team to request assistance with this piece.

Some quick and dirty updates.

Export-Mailbox command

You can limit this command by specific folders with the –IncludeFolders option and also if your customer is afraid of deleting legitimate mail you can make use of date restriction to only export mail within a certain date range. Example below

Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" –IncludeFolders “/Inbox” –StartDate “09/08/2010” –EndDate “09/09/2010” -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false

Tools

There is a tool that can be used to run reports against mailboxes to determine who has a large number of items in their Outbox. For additional information on this contact Support.

ExMon can be used to determine what user or workstation may be hammering the message store and may need to be taken offline

See the following for instructions on using Exmon to find the offending clients http://www.msexchange.org/tutorials/Microsoft-Exchange-Server-User-Monitor.html This works with every supported version of Exchange currently available.

Working with Transport – new information

One customer has almost 1.5 million messages so you may need to purge on a queue by queue basis

Get-message -queue "serverqueue" | where{$_.Subject -eq "Here you have"} | suspend-message

Get-message -queue "serverqueue" | where{$_.Subject -eq "Here you have"} | remove-message

This command only processes 1000 messages at a time so you need to change the “ –ResultSize “ to Unlimited.

If there are other transport rules they may need to be temporarily disabled. Remember if you are running exchange 2007 PRE-SP3 they will not be able to remove messages from the submission Queue. Best bet is to pause transport and let the rule do its thing.

Kind Regards
Catastrophic Failure “JV”

Leave a comment