Unable to kill virus - suspect netsky variant -
Posted on 2004-04-19
Win2k3 domain (4 servers)
Have recently installed GFI mailsweeper software as supicious of mails etc and it has shown returned messages to a user we do not have called "SALES37314939" (see below). This user has sent 2730+ messages in the past 6 days (since we switched the GFI on) -
"To: /O=W T LAMB/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=SALES37314939
Subject: IMCEAEX-_O=W+20T+20LAMB_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=SALES37314939@lambsbricks.com - Email has different SMTP TO: and MIME TO: fields in the email addresses - Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:"
We cannot find any reference to this use in our AD or our exchange or on any server registry. I cannot find it in adsiedit (although there is no search facility so I may have missed it)
We have taken every PC and server off the network and booted them in safe mode - then run mcafee/ ca and norton netsky "fixers" which have yielded 6 occurences on the mail server and nothing else.
My own belief is that there is a rogue smtp service (which is how netsky is supposed to run) somewhere on my network - this is kind of bourne out by the fact that no mails were sent over the weekend.
Any ideas for tracking this down would be appreciated