When a virus gets loose in your Microsoft Exchanger server, its imperative to make a clean sweep of the Message Transfer Agent (MTA) and remove the virus from the system.
In this article, we'll look at a procedure to clean the Message Transfer Agent (MTA) of viruses after your Microsoft Exchange server is attacked. We'll specifically look at two ways that you can remove the files that contain virus information from your MTA: Windows Explorer Advanced Search and Findbin.exe.
Advanced search method
|"I also recommend that you back up the entire contents of the Mtadata directory to the new directory called Mtahold.
The process to clean the MTA of infected messages is to simply find the messages that have the infection and move them out of the MTADATA folders. This is probably the easier of the two methods. Follow these steps to clean the MTA using Advanced search:
- Stop the Exchange MTA Service, which also stops the Microsoft Exchange Internet Mail Service.
- Find the Mtadata directory on your Exchange server. If there is more than one Mtadata directory, it is important that you know which is the Working Directory. To verify the MTA database path, you can check the Registry. Open the Registry editor (Start|Run|Regedit) and navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeMTA\Parameters key. View the MTA Database Path Registry value and note the path.
- Go to the Exchsrvr\Mtadata directory as noted in the Registry. Create a new directory within the Mtadata directory called Infected; this directory will be used to hold the infected files. In this process, it is very important that no files are deleted. The MTA must have a core database in order to function properly. If any of these files get deleted, the MTA may not be able to start.
- I also recommend that you back up the entire contents of the Mtadata directory to the new directory called Mtahold. Doing so may seem a little too cautious, but it will save you many hours of trouble in case there is an accidental deletion of the core MTA files.
- Right-click on the Mtadata folder and choose Find from the drop-down menu.
- Make sure that the path in the Look In box is pointed to \Exchsrvr\Mtadata. You don't want to search the entire drive or drives on your Exchange server.
- Click on the Advanced tab and type in the text of the virus you want to find. (Iloveyou, Life Stages, Funny Text, etc.).
- Click Find Now to start the search (see Figure 1).
- After the search is finished, move the virus-laden files to the newly created Infected directory. It is important that you do not copy or delete these files. Once these steps have been completed, the MTA should be clean of viruses. Because some viruses can change the subject of their messages, you may have to repeat these steps several times in order to find all the infected messages.
- Run the Mtacheck utility with the /v option twice and make sure there are no reported errors.
- Before you restart your Microsoft Exchange Message Transfer Agent Service, you need to make sure that you have a solution in place that will catch the incoming virus. Starting the service will allow messages to flow, which can cause another infection if the threat is still there.
|Searching for virus text|
Using Findbin.exe to clean the MTA
|Working in hexadecimal
In order to change the text you desire into hexadecimal format, you can use the Ascii2hex.exe utility that you downloaded. For instance, the hexadecimal equivalent for "ILOVEYOU" is 494C4F5645594F, which is the default value in the Mtaclean.bat file. When you run the Ascii2hex utility against the text "Life Stages", you get the value 4c69666520537461676573. Simply replace that value with the default value in the batch file. It is important to note that hexadecimal values are different when using uppercase versus lowercase or when you add spaces.
The Findbin method does primarily the same thing that the Advanced Search does, but it looks through all MTA dat files for the hexadecimal equivalent of the text. In order to use this utility, you need to download the ILOVEYOUHLPI.ZIP file from http://support.microsoft.com/support/exchange/love_letter.htm
. When extracted, it contains files and utilities that will help you clean your Exchange Server of viruses once it has become infected. We will focus on the files located in the MTA extract directory.
Once you have extracted the files, follow these steps:
- Copy the files in the \MTA directory to the \Exchsrvr\mtadata directory.
- Modify the Mtaclean.bat file to search for the text you need. The batch file, as is, will stop the Microsoft Exchange MTA service and move all dat files that contain the text you specify to the \\Exchsrvr\mtadata\ILOVEYOU directory. It will then run the Mtacheck utility twice, outputting the data to two log files named Love1.log and Love2.log. You can also change the logs that receive the Mtacheck utility output.
- Run Mtaclean.bat from a command prompt.
- Once the utility has finished, do not start the Microsoft Exchange MTA service until you are sure that the virus threat is over. You can repeat this process as many times as needed. Once the threat of a virus is gone, you can delete the \\Exchsrvr\mtadata\ILOVEYOU directory.
Both methods presented in the article will allow you to clean your MTA of infected files. The Advanced Search method does not require any special downloads or batch file modifications. If you understand and write batch files frequently, you may prefer the Findbin method, because you can modify Mtaclean.bat to remove multiple strings of text at once. Doing so can save you time because you can start your batch file once it's correctly modified, and let it run unattended until it finishes.
After the virus threat has passed and your system is online, you can delete the files that are in the temporary directory created in Step 3. Do not delete this directory until you are sure that your system is up and running. It is possible that you may have to restore some of those files in the event that your system will not start. //
Troy Thompson, MCSE+Internet, is a freelance consultant in the Louisville, Kentucky area.