Official Writeups at the following URLs:
- http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B MSAV Encyclopedia writeup for this threat.
- http://blogs.technet.com/b/mmpc/archive/2010/09/09/emerging-malware-issue-visal-b.aspx MMPC blog article regarding the issue.
Microsoft Forefront Products
- FCS/FEP/MSE anything that uses the MSAV engine/signatures is currently waiting for new signature set should have signatures that address this in build 1.89.1389.0 and higher.
- If you are using any of the Forefront Exchange security products you can set up filtering rules to block messages based on content or subject line. http://social.technet.microsoft.com/wiki/contents/articles/worm-win32-vb-wf-email-virus-defending-with-forefront-security-forefront-protection-antigen.aspx
- FOPE blocks this threat
- FOPE protects BPOS-S customers from receiving these.
If you are not a MSAV customer contact your AV vendor and work with them to get samples and definitions!
Action Plan
Exchange Server 2007 / 2010
Transport
Depending on the volume of incoming mail you may need to Pause all transport servers so nothing new is coming in
1. Set a Transport Rule to Delete any incoming messages
GUI - from the EMC
Organization Configuration > Hub Transport > Transport Rules
New Transport Rule
Fill out the rule Name and any necessary comments and leave Enable Rule checked
Next
Conditions: When the Subject field contains specific words "Here You Have"
Actions: silently drop the message
click New to create the rule and restart the Transport service
2. Delete messages in the queues
Get-TransportServer | Get-Queue | get-message | where{$_.MessageSubject -eq "Here you have"} |
remove-message
Mailbox Cleanup
1. Export and delete virus messages from mailboxes
Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs
-Confirm:$false
** remember to create the target mailbox "VirusMailbox" first **
** hide this target mailbox from the GAL**
2. Preventative Measure - Disable MAPI access
Run syntax to remove MAPI access from all mailboxes in that store:
get-mailboxdatabase <name> |
get-mailbox | Get-casmailbox
get-mailboxdatabase <name> |
get-mailbox | set-casmailbox -mapienabled $FALSE
Then enable each user as their outbox is cleaned out
Exchange Server 2000/2003
1. Use ExMerge to remove the infected emails from mailboxes
2. Clearing queues
Manual: In E2K3 we can stop the SMTP Service and the do string search in Queue folder for the subject words of virus message, and we can delete it that way.
Some quick and dirty updates.
Export-Mailbox command
You can limit this command by specific folders with the –IncludeFolders option and also if your customer is afraid of deleting legitimate mail you can make use of date restriction to
only export mail within a certain date range. Example below
Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" –IncludeFolders “/Inbox” –StartDate “09/08/2010” –EndDate “09/09/2010” -DeleteContent -TargetMailbox VirusMailbox
-TargetFolder VirusMsgs
-Confirm:$false
Tools
There is a tool that can be used to
run reports against mailboxes to determine who has a large number of items in their Outbox. For additional information on this contact Support.
ExMon
can be used to determine what user or workstation may be hammering
the message store and may need to be taken offline
See the following for instructions on using Exmon to find the offending clients
http://www.msexchange.org/tutorials/Microsoft-Exchange-Server-User-Monitor.html This works with every supported version of Exchange currently available.
Working with Transport – new information
One customer has almost 1.5 million messages so you may need to purge on a queue by queue basis
Get-message -queue "server\queue" | where{$_.Subject -eq "Here you have"} | suspend-message
Get-message -queue "server\queue" | where{$_.Subject -eq "Here you have"} | remove-message
This command only processes 1000 messages at a time so you need to change the “ –ResultSize “ to Unlimited.
If
there are other transport rules they may need to be temporarily disabled. Remember if you are
running exchange 2007 PRE-SP3 they will not be able to remove messages from the submission Queue. Best bet is to pause transport and let the rule do its thing.
Mitigations from an Outlook client perspective:
Warning this WILL break applications that utilize outlook to programmatically send/create messages!!!
Download the Office .adm templates found here
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7
Install the outlk12 template into a GPO applied to an OU where computers are located that you need mitigate this issue on.
Configure the following setting User Configuration > Administrative Templates > Classic Administrative Templates > Microsoft Office Outlook 2007 > Security
Select Programmatic Access Security and click Enabled, for Options select "Always warn me about suspicious activity" This will force outlook to always prompt when a 3rd party application
is attempting to programmatically utilize Outlook.
Changes in the Outlook 2007 Security model that allow programmatic email sending ">Install the outlk12 template into a GPO applied to an OU where computers are located that you need mitigate this issue on.