Official Writeups at the following URLs:

 Microsoft Forefront Products


If you are not a MSAV customer contact your AV vendor and work with them to get samples and definitions!

Action Plan

Exchange Server 2007 / 2010
Depending on the volume of incoming mail you may need to Pause all transport servers so nothing new is coming in

1.       Set a Transport Rule to Delete any incoming messages

GUI - from the EMC
Organization Configuration > Hub Transport > Transport Rules
New Transport Rule
Fill out the rule Name and any necessary comments and leave Enable Rule checked
Conditions: When the Subject field contains specific words "Here You Have"
Actions: silently drop the message
click New to create the rule and restart the Transport service

2.       Delete messages in the queues

 Get-TransportServer | Get-Queue | get-message | where{$_.MessageSubject -eq "Here you have"} | remove-message
Mailbox Cleanup

1.       Export and delete virus messages from mailboxes

Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false
** remember to create the target mailbox "VirusMailbox" first **
** hide this target mailbox from the GAL**

2.       Preventative Measure - Disable MAPI access

Run syntax to remove MAPI access from all mailboxes in that store:
get-mailboxdatabase <name> | get-mailbox | Get-casmailbox
get-mailboxdatabase <name> | get-mailbox | set-casmailbox -mapienabled $FALSE
Then enable each user as their outbox is cleaned out
Exchange Server 2000/2003
1. Use ExMerge to remove the infected emails from mailboxes

2. Clearing queues

Manual:   In E2K3 we can stop the SMTP Service and the do string search in Queue folder for the subject words of virus message, and we can delete it that way.



Some quick and dirty updates.
Export-Mailbox command
You can limit this command by specific folders with the –IncludeFolders option and also if your customer is afraid of deleting legitimate mail you can make use of date restriction to only export mail within a certain date range. Example below
Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" –IncludeFolders “/Inbox” –StartDate “09/08/2010” –EndDate “09/09/2010” -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false
There is a tool that can be used to run reports against mailboxes to determine who has a large number of items in their Outbox.   For additional information on this contact Support.
ExMon can be used to determine what user or workstation may be hammering the message store and may need to be taken offline
See the following for instructions on using Exmon to find the offending clients This works with every supported version of Exchange currently available.
Working with Transport – new information
One customer has almost 1.5 million messages so you may need to purge on a queue by queue basis
Get-message -queue "server\queue" | where{$_.Subject -eq "Here you have"} | suspend-message
Get-message -queue "server\queue" | where{$_.Subject -eq "Here you have"} | remove-message
This command only processes 1000 messages at a time so you need to change the “ –ResultSize “ to Unlimited.
If there are other transport rules they may need to be temporarily disabled.  Remember if you are running exchange 2007 PRE-SP3 they will not be able to remove messages from the submission Queue.   Best bet is to pause transport and let the rule do its thing.
Mitigations from an Outlook client perspective:
Warning this WILL break applications that utilize outlook to programmatically send/create messages!!!
Install the outlk12 template into a GPO applied to an OU where computers are located that you need  mitigate this issue on.
Configure the following setting  User Configuration > Administrative Templates > Classic Administrative Templates > Microsoft Office Outlook 2007 > Security
Select Programmatic Access Security and click Enabled,  for Options select "Always warn me about suspicious activity"  This will force outlook to always prompt when a 3rd party application is attempting to programmatically utilize Outlook.

Changes in the Outlook 2007 Security model that allow programmatic email sending when the Security Center reports AV status that is up to date / running