Cleaning up Exchange after a virus attack
Find out how to clean up your Microsoft Exchanges Internet Mail Service after it has been infected with a virus.
Backing up the Exchange serverIt is important that you have a good backup of your information store before making changes. You will want a way to restore your database if something goes wrong. You may already have an online backup routine in place; otherwise, you should perform an off-line backup by shutting down the Microsoft Exchange Service and copying the priv.edb, pub.edb, and dir.edb files to another directory or drive. This process can take several hours if have a multiple gigabyte information store.
How messages are stored in the Internet Mail ConnectorIt is possible to have more that one IMCDATA directory on your computer, but only one is the working directory. The working directory location can be found by looking in the Registry. Run Regedit (choose Start|Run and enter "Regedit") and navigate to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\MSExchangeIMC\Parameters. Many entries will appear in the details pane, but you want to look at the RootDir value. This is the location of the IMCDATA working directory. Now that you know the location of the working directory, you need to understand the directory structure within the IMCDATA directory. Messages are stored in six locations in the Internet Mail Connector (IMC):
\Exchsrvr\Imcdata\out \Exchsrvr\Imcdata\in \Exchsrvr\Imcdata\out\Archive (Location for outgoing message archive)
- MTS-OUT--An outgoing "Mailbox" folder inside the Information Store
- MTS-IN--An incoming "Mailbox" folder inside of the Information Store
Cleaning the IMCThe process to clean the IMCDATA subtree of infected messages is simply to find the messages that have the infection and move them out of the IMDATA folders. Once that process is complete, you will have to also clean the MTS-OUT and MTS-IN mailboxes. To do so, you will need some utilities that can be downloaded from http://support.microsoft.com/support/exchange/love_letter.htm. The ILOVEYOUHLPI.ZIP file, when expanded, contains several utilities. We will focus on the utilities located in the <expand directory>\imc directory. To start the cleaning process, perform the following steps:
- Ensure that the Microsoft Exchange Internet Mail Service is stopped.
- Copy the contents of the <expand directory>\imc directory to the exchsrvr\bin directory. This should include the following files: gwclean.exe, msvcrtd.dll, profInst.exe, and resetimc.cmd.
- Using Windows Explorer, move to the Working Directory>\Exchsrvr\Imcdata directory and create a new directory that will be used to hold the infected files.
- Rename the file Queue.dat to Queue.sav.
- Right click on the IMCDATA folder and choose Find from the context menu.
- Make sure that the path in the Look In box is pointed to Working Directory\Exchsrvr\Imcdata. You will not want to search the entire drive or drives on your Exchange Server.
- Click on the Advanced tab and type in the text of the virus you want to find. (that is, Iloveyou, Life Stages, Funny Text, and other viruses).
- Click on the Find Now tab to start the search.
- Move the files that are found to the directory you created earlier. It is important that you do not copy or delete these files.
Now that the infected files are not longer in the IMCDATA subtree, you must focus on the MTS-OUT and MTS-IN mentioned above. These queues cannot be cleaned using the Find method. Follow these steps:
- Run resetimc.cmd.
- The utility will copy the contents of MTS-IN and MTS-OUT into mts-in.pst and mts-out.pst.