Jaa


Emerging Malware Issue: Visal.B “Here You Have”, Prevent and Remove

 

Yesterday we had the “Here You Are” worm land in our laps and many of my customers are seeing the issue in their Exchange environments. Here at the Exchange Support center we are seeing many calls and trying to mitigate some of those we have come up with some actions to assist you in removing and cleaning up your environments.

Lets start of by addressing your AV updates:

Microsoft Antivirus (MSAV)

Updates have been released and are available via Windows Update

Name: Worm:Win32/Visal.B

build 1.89.1390.0

Symantec

https://www.symantec.com/connect/blogs/new-round-email-worm-here-you-have

Name: TrojanHorse / W32.Imsolk.B@mm

Virus Definition: v 20100909.023 or later will protect Symantec customers

Removal:

Symantec Mail Security for Exchange allows you to use Content Filtering Rules to scan and delete emails by subject

McAfee

https://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

https://vil.nai.com/vil/content/v_275435.htm

Name: W32/VBMania@MM

Virus Definition: DAT 6101 (09/10/2010) / Minimum Engine 5.3.00

Removal:

Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

An Extra.DAT is available to detect and repair this threat.

Stinger has been updated to help detect and repair this threat.

 

Now for Exchange 2007/2010 Environments that have been infected you can use the following methods to assist in removal and cleanup:

TRANSPORT ROLE

Depending on the volume of incoming virus mail you may need to Pause all transport servers so nothing new is coming in.

1. Set a Transport Rule to Delete any incoming messages

GUI - from the Exchange Management Console
Organization Configuration > Hub Transport > Transport Rules
New Transport Rule
Fill out the rule Name and any necessary comments and leave Enable Rule checked

Next

Conditions: When the Subject field contains specific words "Here You Have"
Actions: silently drop the message
click New to create the rule and restart the Transport service

2. Delete messages in the queues using PS cmdlets

Get-TransportServer | Get-Queue | get-message -resultsize unlimited| where{$_.Subject -eq "Here you have" -and $_.Queue -notlike “*\Submission*"} | suspend-message

Get-TransportServer | Get-Queue | get-message -resultsize unlimited | where{$_.Subject -eq "Here you have" -and $_.Queue -notlike “*\Submission*"} |remove-message -WithNDR $False

If you run into "too many results" error, you should delete queue by queue. 

1.            Get-message -queue "server\queue" -resultsize unlimited | where{$_.Subject -eq "Here you have" -and $_.Queue -notlike “*\Submission*"} | suspend-message

2.            Get-message -queue "server\queue" -resultsize unlimited  | where{$_.Subject -eq "Here you have" -and $_.Queue -notlike “*\Submission*"} | remove-message -WithNDR $False

OR

Get-TransportServer | Get-Queue | Get-Message -resultsize unlimited | where{$_.status –eq “suspended” -and $_.Queue -notlike “*\Submission*"} | remove-message -WithNDR $False

- These commands only processes 1000 messages at a time so you need to change the “ –ResultSize “ parameter to Unlimited.

- If the customer has other transport rules they may need to be temporarily disabled. 

- Remember if your customers are running exchange 2007 PRE-SP3 they will not be able to remove messages from the submission Queue.  

- Best bet is to pause transport and let the rule do its thing.

- Ensure that your customers set the turf rule priority to “0” if the customer has other rules (or disable the other rules temporally).

3. Delete messages in transent using Transport Rules

Exchange 2010

New-TransportRule -Name 'Here you have' -Comments '' -Priority '0' -Enabled $true -SubjectContainsWords 'here you have' -DeleteMessage $true

Exchange 2007

$action = Get-TransportRuleAction DeleteMessage

$condition = Get-TransportRulePredicate SubjectContains

$condition.Words = @("Here you have")

New-TransportRule -name "Here you have" -Conditions @($condition) -Actions @($action) -Priority 0

 

MAILBOX ROLE

Export-Mailbox command

You can limit this command by specific folders with the –IncludeFolders option and also if your customer is afraid of deleting legitimate mail you can make use of date restriction to only export mail within a certain date range. The account you are using for this must have “Full Mailbox” access rights to complete the export commands. 

Example below:

Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" –IncludeFolders “/Inbox” –StartDate “09/08/2010” –EndDate “09/09/2010” -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false

Following two cmdlets can come handy , as well:

Get-Mailbox -Database DataBase1 | Export-Mailbox -ContentKeywords "Virus message" -TargetMailbox Administrator@Contoso.com -TargetFolder 'MyData' –DeleteContent

get-mailbox | export-mailbox –ContentKeywords “ https://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr “ –DeleteContent –Includefolders “\Inbox”

Get-Mailbox -Database DB1 | Export-Mailbox -SubjectKeywords "Here you Have" –DeleteContent

 

OTHER TOOLS & UPDATES

=======================

PFDAV ADMIN

You can use PFDAVAdmin to run reports against mailboxes to determine who has a large number of items in their Outbox:

https://www.microsoft.com/downloads/details.aspx?FamilyID=635be792-d8ad-49e3-ada4-e2422c0ab424&displayLang=en

EXMON

Use ExMon to determine what user or workstation may be hammering store and may need to be taken offline:

https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9a49c22e-e0c7-4b7c-acef-729d48af7bc9

Disabling MAPI Client Access

You can use this article to block outlook clients from connecting to Exchange Server 2007:

288894  How to disable MAPI client access to a computer that is running Exchange Server

Remember that store cache is held for 2 hour and a restart of the Information Store or a dismount and remount of each database is required to workaround this.

https://support.microsoft.com/default.aspx?scid=kb;EN-US;288894

EXMERGE

Remove messages with exmerge

https://www.msexchange.org/tutorials/MF013.ht

 

Wiki / Links / Blogs

This wiki is being maintained by Kurt Falde and members of the security group and incorporate some of the suggestions made in these announcements.  Updated url:
https://social.technet.microsoft.com/wiki/contents/articles/worm-win32-visal-b.aspx

Also see the following links:

https://blogs.technet.com/b/mmpc/archive/2010/09/09/emerging-malware-issue-visal-b.aspx

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B

 

A huge thanks out to Tom Kern, Angelique Conde, Tak Chow, Brian Drepaul and all Exchange Escalation Team members for assisting in the compilation of this data and action plans!