Cleaning the Microsoft Exchange Message Transfer Agent

When a virus gets loose in your Microsoft Exchanger server, its imperative to make a clean sweep of the Message Transfer Agent (MTA) and remove the virus from the system.

By Troy Thompson | Posted Oct 4, 2000
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

In this article, we'll look at a procedure to clean the Message Transfer Agent (MTA) of viruses after your Microsoft Exchange server is attacked. We'll specifically look at two ways that you can remove the files that contain virus information from your MTA: Windows Explorer Advanced Search and Findbin.exe.

Advanced search method

"I also recommend that you back up the entire contents of the Mtadata directory to the new directory called Mtahold. "

The process to clean the MTA of infected messages is to simply find the messages that have the infection and move them out of the MTADATA folders. This is probably the easier of the two methods. Follow these steps to clean the MTA using Advanced search:
  1. Stop the Exchange MTA Service, which also stops the Microsoft Exchange Internet Mail Service.
  2. Find the Mtadata directory on your Exchange server. If there is more than one Mtadata directory, it is important that you know which is the Working Directory. To verify the MTA database path, you can check the Registry. Open the Registry editor (Start|Run|Regedit) and navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMTA\Parameters key. View the MTA Database Path Registry value and note the path.
  3. Go to the Exchsrvr\Mtadata directory as noted in the Registry. Create a new directory within the Mtadata directory called Infected; this directory will be used to hold the infected files. In this process, it is very important that no files are deleted. The MTA must have a core database in order to function properly. If any of these files get deleted, the MTA may not be able to start.
  4. I also recommend that you back up the entire contents of the Mtadata directory to the new directory called Mtahold. Doing so may seem a little too cautious, but it will save you many hours of trouble in case there is an accidental deletion of the core MTA files.
  5. Right-click on the Mtadata folder and choose Find from the drop-down menu.
  6. Make sure that the path in the Look In box is pointed to \Exchsrvr\Mtadata. You don't want to search the entire drive or drives on your Exchange server.
  7. Click on the Advanced tab and type in the text of the virus you want to find. (Iloveyou, Life Stages, Funny Text, etc.).
  8. Click Find Now to start the search (see Figure 1).
  9. After the search is finished, move the virus-laden files to the newly created Infected directory. It is important that you do not copy or delete these files. Once these steps have been completed, the MTA should be clean of viruses. Because some viruses can change the subject of their messages, you may have to repeat these steps several times in order to find all the infected messages.
  10. Run the Mtacheck utility with the /v option twice and make sure there are no reported errors.
  11. Before you restart your Microsoft Exchange Message Transfer Agent Service, you need to make sure that you have a solution in place that will catch the incoming virus. Starting the service will allow messages to flow, which can cause another infection if the threat is still there.

Figure 1: Searching for virus text
Searching for virus text

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter