Emerging Malware Issue: Visal.B “Here You Have”, Prevent and Remove
Yesterday we had the “Here You Are” worm land in our laps and many of my customers are seeing the issue in their Exchange environments. Here at the Exchange Support center we are seeing many calls and trying to mitigate some of those we have come up with some actions to assist you in removing and cleaning up your environments.
Lets start of by addressing your AV updates:
Microsoft Antivirus (MSAV)
Updates have been released and are available via Windows Update
Name: Worm:Win32/Visal.B
build 1.89.1390.0
Symantec
https://www.symantec.com/connect/blogs/new-round-email-worm-here-you-have
Name: TrojanHorse / W32.Imsolk.B@mm
Virus Definition: v 20100909.023 or later will protect Symantec customers
Removal:
Symantec Mail Security for Exchange allows you to use Content Filtering Rules to scan and delete emails by subject
McAfee
https://vil.nai.com/vil/content/v_275435.htm
Name: W32/VBMania@MM
Virus Definition: DAT 6101 (09/10/2010) / Minimum Engine 5.3.00
Removal:
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
An Extra.DAT is available to detect and repair this threat.
Stinger has been updated to help detect and repair this threat.
Now for Exchange 2007/2010 Environments that have been infected you can use the following methods to assist in removal and cleanup:
TRANSPORT ROLE
Depending on the volume of incoming virus mail you may need to Pause all transport servers so nothing new is coming in.
1. Set a Transport Rule to Delete any incoming messages
GUI - from the Exchange Management Console
Organization Configuration > Hub Transport > Transport Rules
New Transport Rule
Fill out the rule Name and any necessary comments and leave Enable Rule checked
Next
Conditions: When the Subject field contains specific words "Here You Have"
Actions: silently drop the message
click New to create the rule and restart the Transport service
2. Delete messages in the queues using PS cmdlets
Get-TransportServer | Get-Queue | get-message -resultsize unlimited| where{$_.Subject -eq "Here you have" -and $_.Queue -notlike “*\Submission*"} | suspend-message
Get-TransportServer | Get-Queue | get-message -resultsize unlimited | where{$_.Subject -eq "Here you have" -and $_.Queue -notlike “*\Submission*"} |remove-message -WithNDR $False
If you run into "too many results" error, you should delete queue by queue.
1. Get-message -queue "server\queue" -resultsize unlimited | where{$_.Subject -eq "Here you have" -and $_.Queue -notlike “*\Submission*"} | suspend-message
2. Get-message -queue "server\queue" -resultsize unlimited | where{$_.Subject -eq "Here you have" -and $_.Queue -notlike “*\Submission*"} | remove-message -WithNDR $False
OR
Get-TransportServer | Get-Queue | Get-Message -resultsize unlimited | where{$_.status –eq “suspended” -and $_.Queue -notlike “*\Submission*"} | remove-message -WithNDR $False
- These commands only processes 1000 messages at a time so you need to change the “ –ResultSize “ parameter to Unlimited.
- If the customer has other transport rules they may need to be temporarily disabled.
- Remember if your customers are running exchange 2007 PRE-SP3 they will not be able to remove messages from the submission Queue.
- Best bet is to pause transport and let the rule do its thing.
- Ensure that your customers set the turf rule priority to “0” if the customer has other rules (or disable the other rules temporally).
3. Delete messages in transent using Transport Rules
Exchange 2010
New-TransportRule -Name 'Here you have' -Comments '' -Priority '0' -Enabled $true -SubjectContainsWords 'here you have' -DeleteMessage $true
Exchange 2007
$action = Get-TransportRuleAction DeleteMessage
$condition = Get-TransportRulePredicate SubjectContains
$condition.Words = @("Here you have")
New-TransportRule -name "Here you have" -Conditions @($condition) -Actions @($action) -Priority 0
MAILBOX ROLE
Export-Mailbox command
You can limit this command by specific folders with the –IncludeFolders option and also if your customer is afraid of deleting legitimate mail you can make use of date restriction to only export mail within a certain date range. The account you are using for this must have “Full Mailbox” access rights to complete the export commands.
Example below:
Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" –IncludeFolders “/Inbox” –StartDate “09/08/2010” –EndDate “09/09/2010” -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false
Following two cmdlets can come handy , as well:
Get-Mailbox -Database DataBase1 | Export-Mailbox -ContentKeywords "Virus message" -TargetMailbox Administrator@Contoso.com -TargetFolder 'MyData' –DeleteContent
get-mailbox | export-mailbox –ContentKeywords “ https://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr “ –DeleteContent –Includefolders “\Inbox”
Get-Mailbox -Database DB1 | Export-Mailbox -SubjectKeywords "Here you Have" –DeleteContent
OTHER TOOLS & UPDATES
=======================
PFDAV ADMIN
You can use PFDAVAdmin to run reports against mailboxes to determine who has a large number of items in their Outbox:
EXMON
Use ExMon to determine what user or workstation may be hammering store and may need to be taken offline:
Disabling MAPI Client Access
You can use this article to block outlook clients from connecting to Exchange Server 2007:
288894 How to disable MAPI client access to a computer that is running Exchange Server
Remember that store cache is held for 2 hour and a restart of the Information Store or a dismount and remount of each database is required to workaround this.
https://support.microsoft.com/default.aspx?scid=kb;EN-US;288894
EXMERGE
Remove messages with exmerge
https://www.msexchange.org/tutorials/MF013.ht
Wiki / Links / Blogs
This wiki is being maintained by Kurt Falde and members of the security group and incorporate some of the suggestions made in these announcements. Updated url:
https://social.technet.microsoft.com/wiki/contents/articles/worm-win32-visal-b.aspx
Also see the following links:
https://blogs.technet.com/b/mmpc/archive/2010/09/09/emerging-malware-issue-visal-b.aspx
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B
A huge thanks out to Tom Kern, Angelique Conde, Tak Chow, Brian Drepaul and all Exchange Escalation Team members for assisting in the compilation of this data and action plans!