Cleaning up Exchange after a virus attack

By Troy Thompson | Sep 22, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/624161/Cleaning-up-Exchange-after-a-virus-attack.htm

CrossLinks
Once you realize that your system is being attacked by an e-mail virus, there are several steps that you should take to prevent the virus from spreading and to clean up infected files. The first thing that you should do is to stop the flow of e-mail to and from the Internet. In this article, we'll discuss how to clean your Exchange Server's Internet Mail Service after it has been infected with a virus.

Backing up the Exchange server

It is important that you have a good backup of your information store before making changes. You will want a way to restore your database if something goes wrong. You may already have an online backup routine in place; otherwise, you should perform an off-line backup by shutting down the Microsoft Exchange Service and copying the priv.edb, pub.edb, and dir.edb files to another directory or drive. This process can take several hours if have a multiple gigabyte information store.

How messages are stored in the Internet Mail Connector

It is possible to have more that one IMCDATA directory on your computer, but only one is the working directory. The working directory location can be found by looking in the Registry. Run Regedit (choose Start|Run and enter "Regedit") and navigate to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\MSExchangeIMC\Parameters. Many entries will appear in the details pane, but you want to look at the RootDir value. This is the location of the IMCDATA working directory.

Now that you know the location of the working directory, you need to understand the directory structure within the IMCDATA directory. Messages are stored in six locations in the Internet Mail Connector (IMC):

  • \Exchsrvr\Imcdata\out
  • \Exchsrvr\Imcdata\in
  • \Exchsrvr\Imcdata\out\Archive (Location for outgoing message archive)
  • MTS-OUT--An outgoing "Mailbox" folder inside the Information Store
  • MTS-IN--An incoming "Mailbox" folder inside of the Information Store

Cleaning the IMC

The process to clean the IMCDATA subtree of infected messages is simply to find the messages that have the infection and move them out of the IMDATA folders. Once that process is complete, you will have to also clean the MTS-OUT and MTS-IN mailboxes. To do so, you will need some utilities that can be downloaded from http://support.microsoft.com/support/exchange/love_letter.htm. The ILOVEYOUHLPI.ZIP file, when expanded, contains several utilities. We will focus on the utilities located in the <expand directory>\imc directory.

To start the cleaning process, perform the following steps:

  1. Ensure that the Microsoft Exchange Internet Mail Service is stopped.
  2. Copy the contents of the <expand directory>\imc directory to the exchsrvr\bin directory. This should include the following files: gwclean.exe, msvcrtd.dll, profInst.exe, and resetimc.cmd.
  3. Using Windows Explorer, move to the Working Directory>\Exchsrvr\Imcdata directory and create a new directory that will be used to hold the infected files.
  4. Rename the file Queue.dat to Queue.sav.
  5. Right click on the IMCDATA folder and choose Find from the context menu.
  6. Make sure that the path in the Look In box is pointed to Working Directory\Exchsrvr\Imcdata. You will not want to search the entire drive or drives on your Exchange Server.
  7. Click on the Advanced tab and type in the text of the virus you want to find. (that is, Iloveyou, Life Stages, Funny Text, and other viruses).
  8. Click on the Find Now tab to start the search.
  9. Move the files that are found to the directory you created earlier. It is important that you do not copy or delete these files.

After you complete these steps, the IMCDATA subtree should be cleared of infected files. And keep in mind you may have to repeat these steps several times to clear out the infected e-mails, because some viruses can change the subject of their messages.

Now that the infected files are not longer in the IMCDATA subtree, you must focus on the MTS-OUT and MTS-IN mentioned above. These queues cannot be cleaned using the Find method. Follow these steps:

  1. Run resetimc.cmd.
  2. The utility will copy the contents of MTS-IN and MTS-OUT into mts-in.pst and mts-out.pst.

Once you have finished these steps, your IMC should be cleared of infected messages. Before you restart the Microsoft Exchange Internet Mail Service, you need to make sure that you have a solution in place that will catch the incoming virus. This could include installing anti-virus software or updating signature files.

If you restart the service before you automatically detect and remove the virus threat, you're opening your system up to the same attack and will have to perform the procedure again.

After the virus threat has passed and your system is online, you can delete the files that are in the temporary directory created in Step 3. Do not delete this directory until you are sure that your system is up and running. It is possible that you may have to restore some of those files in the event that your system will not start. //

Troy Thompson, MCSE+Internet, is a freelance consultant in the Louisville, Ky., area.