Worm:Win32/Visal.B

Official Writeups at the following URLs:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B MSAV Encyclopedia writeup for this threat.
http://blogs.technet.com/b/mmpc/archive/2010/09/09/emerging-malware-issue-visal-b.aspx MMPC blog article regarding the issue.

Microsoft Forefront Products

FCS/FEP/MSE anything that uses the MSAV engine/signatures is currently waiting for new signature set should have signatures that address this in build 1.89.1389.0 and higher.
If you are using any of the Forefront Exchange security products you can set up filtering rules to block messages based on content or subject line. http://social.technet.microsoft.com/wiki/contents/articles/worm-win32-vb-wf-email-virus-defending-with-forefront-security-forefront-protection-antigen.aspx
FOPE blocks this threat
FOPE protects BPOS-S customers from receiving these.

If you are not a MSAV customer contact your AV vendor and work with them to get samples and definitions!

Action Plan

Exchange Server 2007 / 2010

Transport

Depending on the volume of incoming mail you may need to Pause all transport servers so nothing new is coming in

1. Set a Transport Rule to Delete any incoming messages

GUI - from the EMC

Organization Configuration > Hub Transport > Transport Rules

New Transport Rule

Fill out the rule Name and any necessary comments and leave Enable Rule checked

Conditions: When the Subject field contains specific words "Here You Have"

Actions: silently drop the message

click New to create the rule and restart the Transport service

2. Delete messages in the queues

Get-TransportServer | Get-Queue | get-message | where{$_.MessageSubject -eq "Here you have"} | remove-message

Mailbox Cleanup

1. Export and delete virus messages from mailboxes

Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false

** remember to create the target mailbox "VirusMailbox" first **

** hide this target mailbox from the GAL**

2. Preventative Measure - Disable MAPI access

Run syntax to remove MAPI access from all mailboxes in that store:

get-mailboxdatabase <name> | get-mailbox | Get-casmailbox

get-mailboxdatabase <name> | get-mailbox | set-casmailbox -mapienabled $FALSE

Then enable each user as their outbox is cleaned out

Exchange Server 2000/2003

1. Use ExMerge to remove the infected emails from mailboxes

2. Clearing queues

Manual: In E2K3 we can stop the SMTP Service and the do string search in Queue folder for the subject words of virus message, and we can delete it that way.

Some quick and dirty updates.

Export-Mailbox command

You can limit this command by specific folders with the –IncludeFolders option and also if your customer is afraid of deleting legitimate mail you can make use of date restriction to only export mail within a certain date range. Example below

Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" –IncludeFolders “/Inbox” –StartDate “09/08/2010” –EndDate “09/09/2010” -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false

Tools

There is a tool that can be used to run reports against mailboxes to determine who has a large number of items in their Outbox. For additional information on this contact Support.

ExMon can be used to determine what user or workstation may be hammering the message store and may need to be taken offline

See the following for instructions on using Exmon to find the offending clients http://www.msexchange.org/tutorials/Microsoft-Exchange-Server-User-Monitor.html This works with every supported version of Exchange currently available.

Working with Transport – new information

One customer has almost 1.5 million messages so you may need to purge on a queue by queue basis

Get-message -queue "server\queue" | where{$_.Subject -eq "Here you have"} | suspend-message

Get-message -queue "server\queue" | where{$_.Subject -eq "Here you have"} | remove-message

This command only processes 1000 messages at a time so you need to change the “ –ResultSize “ to Unlimited.

If there are other transport rules they may need to be temporarily disabled. Remember if you are running exchange 2007 PRE-SP3 they will not be able to remove messages from the submission Queue. Best bet is to pause transport and let the rule do its thing.

Mitigations from an Outlook client perspective:

Warning this WILL break applications that utilize outlook to programmatically send/create messages!!!

Download the Office .adm templates found here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7

Install the outlk12 template into a GPO applied to an OU where computers are located that you need mitigate this issue on.

Configure the following setting User Configuration > Administrative Templates > Classic Administrative Templates > Microsoft Office Outlook 2007 > Security

Select Programmatic Access Security and click Enabled, for Options select "Always warn me about suspicious activity" This will force outlook to always prompt when a 3rd party application is attempting to programmatically utilize Outlook.

Changes in the Outlook 2007 Security model that allow programmatic email sending when the Security Center reports AV status that is up to date / running http://msdn.microsoft.com/en-us/library/bb226709(office.12).aspx

Worm:Win32/Visal.B

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?