12.5 Removing Infected Email

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 12.  Email Attacks

This part of the chapter will tell you how to delete infected email from your email client, followed by a section discussing how to handle large outbreaks in Exchange environments.

Disable Internet and network access

Disable Internet and network access to prevent the further spread of malicious code to or from the infected machine. Often the easiest way is to physically unplug the PC's Internet and network connection. In Windows 9x, the PC can be brought up into Safe mode as an alternative.

Disable preview mode, if enabled

If your email client has a preview mode or pane feature, disable it to prevent accidentally opening and executing malicious code. In Outlook 2000, choose View, and deselect the Preview Pane. You may have to do this for each folder present.

Delete all infected emails

Delete all infected emails from Inbox, Sent folder, Deleted folder , and otherwise . Infected emails most often share a common subject line. Remember to remove items from the deleted folder so they are permanently deleted.

Delete the infected signature, if applicable

Kak was the only widespread worm to infect email signatures. If you suspect you have an infected email signature, delete it and re-create a new one. In Outlook Express 5.0, choose Tools Options Signatures Remove.

Exit the email client

Shut down the email client.

Run an antivirus scanning program

Run an antivirus program to see if it finds anything, and allow it to clean up if it does.

Clean up your PC

Most email viruses and worms make modifications to the PC and install malicious files. Using the steps shared in Chapter 6 make sure to clean up any malicious modifications, including those that might be found in the registry, AUTOEXEC.BAT , WIN.INI , SYSTEM.INI , or the Startup group .

The steps shown here are fine if it is one or a few PCs infected, but sometimes the entire company is infected. If so, try to use an antivirus scanner or other automated tools to remove all infections at once.

12.5.1 Information for Microsoft ExchangeServer Administrators

With Outlook as the most popular Windows email client it is no surprise that the Microsoft Exchange Server is the most popular email server in a Windows environment, and the target of a lot of virus attacks. Here are the steps to take if there is a large outbreak by an email worm/virus/Trojan in an Exchange environment:

1. Disable Internet and network connection(s) on Exchange server to prevent further spread.

2. Pause/Disable all Exchange Services , including the Internet Mail Service .

3. Spread the word to your user base that a widespread email virus is spreading and tell them to close Outlook. If you suspect the worm/virus/Trojan is causing damage to your network or PCs, have users turn off their PCs till they are cleaned.

4. Try to isolate one email virus message and make an identification.

5. Research and learn as much as you can about the malicious bug.

6. Turn on Exchange Information Store service just before and as needed for the next step. To keep users from logging on during the cleaning process, consider temporarily removing the appropriate trust relationships or security permissions.

7. Use Microsoft's EXMERGE utility (see later) to delete all infected messages all at once. Remember, users with .PST files (wide area network and laptop users) may need to be cleaned separately.

8. Clean up network and PC damage from attack. Common problems are Trojan files, overwritten files, malicious registry entries, etc. You can use a batch file executed through a central network login script or sent through email to clean the user's PCs. Update and run antivirus scanners as needed.

9. After all is clean, turn on all Exchange services. Notify users that they can begin using their PCs and Outlook. Tell them what to look for so they don't accidentally reinfect their system.

10. Keep EXMERGE handy as 95 percent of installations are reinfected within a day.

11. Decide and implement steps to prevent the next attack.

Additional information about responding to an attack can be found in Incident Response by Kenneth R. van Wyk and Richard Forno (O'Reilly & Associates, Inc.) .

12.5.1.1 ExMerge

Exchange Server Mailbox Merge utility (EXMERGE ) is an excellent utility for deleting massive amounts of infected email all at once from public and private information stores. You can download EXMERGE from Microsoft's web site or locate it on Exchange Server Tools on the Technet CD-ROM kit. The Exchange Information Stores must be running and you must be logged into the Exchange server using the Exchange Service Account login name . The Administrator account will not work unless it is the Exchange Service account, too.

EXMERGE was not made just to delete infected emails, and it requires a fair amount of directing to accomplish what we need. EXMERGE 's original intent was to allow Exchange Administrators to copy, move, or merge data from one Exchange database to another, or to fix corrupted databases. A side effect is that it will allow us to move (archive) messages from a current server into a single personal folder file. This has the same effect as deleting them. Tell EXMERGE only to archive messages, that are infected, and it will remove all infected messages. Then you can delete the massive .PST file it creates (you will need gigabytes of free space to run EXMERGE on most servers). EXMERGE will delete infected emails in all the mailboxes (inbox, deleted folder, outbox , etc.) at once. To use EXMERGE do the following:

1. Log on to Exchange server using Exchange Service account .

2. Create a folder called Exmerge on server and upzip Exmerge files ( EXMERGE.EXE , EXMERGE.INI , and MFC42.DLL ) there.

3. Run EXMERGE.EXE .

4. Choose Two step merge .

5. Click Step 1: Copy Data to Personal Folders.

6. Type in <Exchange server's> computer name. Click Options.

7. Click on Data tab and choose appropriate content that you want to delete (i.e. User Messages ).

8. Click the Import Procedure tab Archive data to target store. This is one of the most important steps as it moves the infected messages to the PST file and deletes the original.

9. Choose the Message Details tab. Enter in some unique identifying information that will only select infected messages. Common identifiers are message subject text or attached filenames. Choose Add Apply OK.

10. On the Dates tab, enter in specific range of dates. Typically I choose just one day if the attack just occurred.

11. Click on All Mailboxes. Click Next. Exmerge will run. It typically takes 5 minutes to 1 hour per hundred users.

12. When Exmerge is finished, check a previously infected Outlook client to make sure all infected emails are gone. Delete Exmerge-created PST files only after you are sure you did not delete any uninfected emails accidentally.

13. Start Exchange's Message Transfer Agent and the Internet Mail Service. Delete all queued infected messages using Exchange Administrator.

As an alternative, Microsoft suggests using their FINDBIN, PROFINST, and GWCLEN utilities to delete infected copies of the message in the Internet Mail Service and Message Transfer queues. Refer to Microsoft's Product Support Services for additional help as the related steps are numerous and involved.

14. Clean up remaining MMC damage that may re-infect the server or network.

15. Restart all Exchange services, enable Internet and network connections, and monitor for re-infection.