Dupator.Swen.A.worm Help

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Tim Young (berkeleytim_at_hotmail.com)
Date: 08/10/04 

Date: Mon, 9 Aug 2004 18:58:58 -0700

Hi,
I am running Small Business Server 2003. I have Exchange
set up with the POP3 Connector to pull our e-mail off our
externally hosted e-mail site. We had not yet decided on
antivirus software, but were experimenting with the server
anyways. Unfortunately, one day the server wouldn't work
(ie we could only log into it in a Safe-mode account and
people could not connect to it from other client
machines). We discovered that one of the e-mail accounts
had nearly 8000 messages (all the same message) and
Exchange had popped them.

What seems to have happened is that an Exchange log file
on the OS partition of the machine had grown to be around
5GB and took every last byte on that partition, leaving
the machine practically unusable. The log file was located
in the following path:

C:\Program Files\Exchsrvr\PROXI-SERVER.log\20040803.log

Here is an example of what is repeated in the log file
millions of times. Note that each repetition contains a
random e-mail address (ie I don't recognize it) that was
in the header of the e-mail that overflowed our server.

2004-8-4 3:40:12 GMT 127.0.0.1
        myemaildomain.com - SERVERNAME
        127.0.0.1 randomemailaddress 1020
        008b01c476af$108bfaa0$0210a8c0@domain.local 0
        0 7574 74 2004-8-3 3:3:53 GMT 0
        Version: 6.0.3790.0 - -
        antivirus@mexis.com

We have taken steps to fix this problem. We created a
filter through our third-party e-mail host to keep any
more of these e-mails from getting to our accounts. We
backed-up this log file onto another partition and deleted
it on the OS partition. We turned off our POP3 Connector
and took the server off the WAN (until we get antivirus
software). We thought our problems were over until the
next day when that day's log file had grown to be the same
size as the one we deleted.

We don't know how to proceed. Obviously we need to get AV
software, but we're not sure that will fix our already
infected machine. I've pasted the body of the e-mail (the
one we got 8000 copies of) below. It was from
antivirus@mexis.com and the Subject was "[MPP virus scan]
A message was discarded". I removed people's e-mail
addresses that were in the header part and inserted "...."
instead. If anyone knows anything about this, please let
me know what I can do. Thanks so much in advance.

Email body:

El servidor de correo de mexis.com detecto una posible
amenaza (virus, spam o contenido no permitido) en un
mensaje dirigido a ti, el evento especifico aparece en el
titulo de este mensaje.

Virus(es) presented in a message and the message has been
discarded {Following is a summary of the virus(es)
detected:} [Virus Name]CVDL W32/Dupator.Swen.A.worm
[IsDisinfectable]No [Virus Location]Queue/16480575.msg

***** The message header follows: *****

X-Envelope-From: ....
X-Envelope-To: ....
Received: from [207.249.94.130] (HELO xdste)
  by mexis.com.mx (CommuniGate Pro SMTP 4.1.8)
  with SMTP id 16480575; Fri, 30 Jul 2004 18:12:24 -0500
FROM: "MS Inet Delivery System" <mailerrobot@microsoft.net>
TO: "net receiver" <receiver@emaildomain.net>
SUBJECT: Bug Notice
Mime-Version: 1.0
Content-Type: multipart/alternative;
        boundary="dlcngcxmjfjd"
Date: Fri, 30 Jul 2004 18:12:25 -0500
Message-ID: <auto-000016480575@mexis.com.mx>

Quantcast