Cleaning the Microsoft Exchange Message Transfer Agent - Page 2

Using Findbin.exe to clean the MTA

Working in hexadecimal In order to change the text you desire into hexadecimal format, you can use the Ascii2hex.exe utility that you downloaded. For instance, the hexadecimal equivalent for "ILOVEYOU" is 494C4F5645594F, which is the default value in the Mtaclean.bat file. When you run the Ascii2hex utility against the text "Life Stages", you get the value 4c69666520537461676573. Simply replace that value with the default value in the batch file. It is important to note that hexadecimal values are different when using uppercase versus lowercase or when you add spaces.

The Findbin method does primarily the same thing that the Advanced Search does, but it looks through all MTA dat files for the hexadecimal equivalent of the text. In order to use this utility, you need to download the ILOVEYOUHLPI.ZIP file from http://support.microsoft.com/support/exchange/love_letter.htm. When extracted, it contains files and utilities that will help you clean your Exchange Server of viruses once it has become infected. We will focus on the files located in the MTA extract directory.

Once you have extracted the files, follow these steps:

1. Copy the files in the \MTA directory to the \Exchsrvr\mtadata directory.
2. Modify the Mtaclean.bat file to search for the text you need. The batch file, as is, will stop the Microsoft Exchange MTA service and move all dat files that contain the text you specify to the \\Exchsrvr\mtadata\ILOVEYOU directory. It will then run the Mtacheck utility twice, outputting the data to two log files named Love1.log and Love2.log. You can also change the logs that receive the Mtacheck utility output.
3. Run Mtaclean.bat from a command prompt.
4. Once the utility has finished, do not start the Microsoft Exchange MTA service until you are sure that the virus threat is over. You can repeat this process as many times as needed. Once the threat of a virus is gone, you can delete the \\Exchsrvr\mtadata\ILOVEYOU directory.

Conclusion

Both methods presented in the article will allow you to clean your MTA of infected files. The Advanced Search method does not require any special downloads or batch file modifications. If you understand and write batch files frequently, you may prefer the Findbin method, because you can modify Mtaclean.bat to remove multiple strings of text at once. Doing so can save you time because you can start your batch file once it's correctly modified, and let it run unattended until it finishes.

After the virus threat has passed and your system is online, you can delete the files that are in the temporary directory created in Step 3. Do not delete this directory until you are sure that your system is up and running. It is possible that you may have to restore some of those files in the event that your system will not start. //

Troy Thompson, MCSE+Internet, is a freelance consultant in the Louisville, Kentucky area.

CrossLinks

• Cleaning up Exchange after a virus attack

• Using Isscan to scan Exchange Server for viruses

• Security update for Microsoft Outlook

• Use Exmerge to remove messages and attachments from your Exchange Server