Re: Dupator.Swen.A.worm Help

From: Trevor Home (_at_)
Date: 08/10/04 

Date: Mon, 9 Aug 2004 22:57:18 -0500

Why not try one of the free online virus scans? I've run Trend's housecall
on SBS in the past without issue and Panda's as well.

-Trevor

"Tim Young" <berkeleytim@hotmail.com> wrote in message
news:328001c47e7d$99c47f60$a601280a@phx.gbl...
> Hi,
> I am running Small Business Server 2003. I have Exchange
> set up with the POP3 Connector to pull our e-mail off our
> externally hosted e-mail site. We had not yet decided on
> antivirus software, but were experimenting with the server
> anyways. Unfortunately, one day the server wouldn't work
> (ie we could only log into it in a Safe-mode account and
> people could not connect to it from other client
> machines). We discovered that one of the e-mail accounts
> had nearly 8000 messages (all the same message) and
> Exchange had popped them.
>
> What seems to have happened is that an Exchange log file
> on the OS partition of the machine had grown to be around
> 5GB and took every last byte on that partition, leaving
> the machine practically unusable. The log file was located
> in the following path:
>
> C:\Program Files\Exchsrvr\PROXI-SERVER.log\20040803.log
>
> Here is an example of what is repeated in the log file
> millions of times. Note that each repetition contains a
> random e-mail address (ie I don't recognize it) that was
> in the header of the e-mail that overflowed our server.
>
> 2004-8-4 3:40:12 GMT 127.0.0.1
> myemaildomain.com - SERVERNAME
> 127.0.0.1 randomemailaddress 1020
> 008b01c476af$108bfaa0$0210a8c0@domain.local 0
> 0 7574 74 2004-8-3 3:3:53 GMT 0
> Version: 6.0.3790.0 - -
> antivirus@mexis.com
>
>
> We have taken steps to fix this problem. We created a
> filter through our third-party e-mail host to keep any
> more of these e-mails from getting to our accounts. We
> backed-up this log file onto another partition and deleted
> it on the OS partition. We turned off our POP3 Connector
> and took the server off the WAN (until we get antivirus
> software). We thought our problems were over until the
> next day when that day's log file had grown to be the same
> size as the one we deleted.
>
> We don't know how to proceed. Obviously we need to get AV
> software, but we're not sure that will fix our already
> infected machine. I've pasted the body of the e-mail (the
> one we got 8000 copies of) below. It was from
> antivirus@mexis.com and the Subject was "[MPP virus scan]
> A message was discarded". I removed people's e-mail
> addresses that were in the header part and inserted "...."
> instead. If anyone knows anything about this, please let
> me know what I can do. Thanks so much in advance.
>
> Email body:
>
> El servidor de correo de mexis.com detecto una posible
> amenaza (virus, spam o contenido no permitido) en un
> mensaje dirigido a ti, el evento especifico aparece en el
> titulo de este mensaje.
>
>
> Virus(es) presented in a message and the message has been
> discarded {Following is a summary of the virus(es)
> detected:} [Virus Name]CVDL W32/Dupator.Swen.A.worm
> [IsDisinfectable]No [Virus Location]Queue/16480575.msg
>
>
> ***** The message header follows: *****
>
> X-Envelope-From: ....
> X-Envelope-To: ....
> Received: from [207.249.94.130] (HELO xdste)
> by mexis.com.mx (CommuniGate Pro SMTP 4.1.8)
> with SMTP id 16480575; Fri, 30 Jul 2004 18:12:24 -0500
> FROM: "MS Inet Delivery System" <mailerrobot@microsoft.net>
> TO: "net receiver" <receiver@emaildomain.net>
> SUBJECT: Bug Notice
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="dlcngcxmjfjd"
> Date: Fri, 30 Jul 2004 18:12:25 -0500
> Message-ID: <auto-000016480575@mexis.com.mx>
>