Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 857
  • Last Modified:

Malware or Virus

Hello Experts, yesterday we had a user open an email on her computer that had no antivirus and she also opened an attachment (you know where this is going) since then i have been getting complaints from my users stating that there emails are bouncing back externally, now it seems to have gotten worse as i am currently unable to even connect to exchange could this malware have really done all of this and if so how should i fix it, i tried using trend micro to find the bug but trend micro seems to be freezing up as im scanning the server, i need to know some methods for me to resolve this issue.
0
wildasIwanabe
Asked:
wildasIwanabe
  • 3
  • 2
1 Solution
 
wildasIwanabeAuthor Commented:
Also no one is able to recieve emails anymore and when they send an email they get a bounce back saying that my external address 208.88.111.186 is blacklisted, i cleaned what i could and unlisted it ever since then it seemed to have gotten worse could of this have happend in one day?....what do you guys recommend
0
 
wildasIwanabeAuthor Commented:
i also have two headers from the emails that bounced back

Delivery has failed to these recipients or distribution lists:

cdasilva1@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam18.c0.bise6.blackberry.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

cdasilva1@bell.blackberry.net
antispam18.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;CdaSilva@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Tue, 4 Jun 2013 13:01:54 -0400
From: Tony Sugrim <TSugrim@genrep.com>
To: Carlos da Silva <CdaSilva@genrep.com>
Content-Class: urn:content-classes:message
Date: Tue, 4 Jun 2013 13:01:52 -0400
Subject: RE: Undeliverable emails
Thread-Topic: Undeliverable emails
Thread-Index: Ac5hRLCFHIHjxKu8RgGceiRKHPbo+wAAIGqA
Message-ID: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C76@GENREPMISS.headoffice.local>
References: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C75@GENREPMISS.headoffice.local>
In-Reply-To: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C75@GENREPMISS.headoffice.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
      boundary="_005_B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C76GENREPMISShea_";
      type="multipart/alternative"
MIME-Version: 1.0



--------------------------------------------------------------------------------------------------------------------------------------------

From: Microsoft Exchange
Sent: Wednesday, June 05, 2013 8:40 AM
To: Tamara Da Silva
Subject: Undeliverable: Sales Call Logs
Importance: High

Delivery has failed to these recipients or distribution lists:

thomasbrown@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam10.c0.bise6.blackberry.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

thomasbrown@bell.blackberry.net
antispam10.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;TBrown@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by
 GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Wed,
 5 Jun 2013 08:39:30 -0400
From: Tamara Da Silva <TDaSilva@genrep.com>
To: Andre Forcier <aforcier@genrep.com>, Kennth Olesen <KOlesen@genrep.com>,
      Thomas Brown <TBrown@genrep.com>, Denis Gougeon <dgougeon@genrep.com>
CC: Jay da Silva <jay@genrep.com>
Importance: high
X-Priority: 1
Date: Wed, 5 Jun 2013 08:39:28 -0400
Subject: Sales Call Logs
Thread-Topic: Sales Call Logs
Thread-Index: Ac5h6bgMRxXflmfhQqKov0Awg7XCag==
Message-ID: <B91DF9842A98E049A3AF0381D3036F2D7E278B184F@GENREPMISS.headoffice.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative;
      boundary="_000_B91DF9842A98E049A3AF0381D3036F2D7E278B184FGENREPMISShea_"
MIME-Version: 1.0
0
 
uescompCommented:
Yes if its a worm that managed to infect your file shares.  I would recommend jumping on that pc and running some good scans.

I usually run these in this order.

tdsskiller
roguekiller
adwcleaner
combofix
malwarebytes

You can find most of them at:  http://www.bleepingcomputer.com/download/windows/

Malwarebytes can be found here:  www.malwarebytes.org

Hopefully it did not infect any other system or worse one of the servers.  I would disconnect that system from the network.  What it is probably doing is flooding exchange with spam and thats why your blacklisted because you have a virus that is spamming.  This of course would hose up exchange for exchange is most likely sending and recieving bouncebacks at a very high volume so it is just very busy.
0
 
wildasIwanabeAuthor Commented:
uescomp thanks for your information how would i go by getting on to the exchange server and clearing the up any discrepencies? also everything worked and the users are able to recieve emails and send out again! thank you, now the users emails are forwarded to there blackberry and whenever anything is sent to their BB the user sending gets this error along with the header...

----------------------------------------------------------------------------------------------------------------------------------------------

Delivery has failed to these recipients or distribution lists:

dpoyntz@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam17.c0.bise6.blackberry.


Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

lsilva@bell.blackberry.net
antispam4.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;LSilva@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Thu, 6 Jun 2013 11:33:16 -0400
From: Tony Sugrim <TSugrim@genrep.com>
To: Larry Silva <LSilva@genrep.com>
Content-Class: urn:content-classes:message
Date: Thu, 6 Jun 2013 11:33:11 -0400
Subject: Test
Thread-Topic: Test
Thread-Index: Ac5iyymU6GF8+PxZQF6TwA+z9sXBgA==
Message-ID: <6mdk3jrl0u4k8qwky8s8gjkr.1370532788716@email.android.com>
Reply-To: Tony Sugrim <TSugrim@genrep.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
      boundary="_004_6mdk3jrl0u4k8qwky8s8gjkr1370532788716emailandroidcom_";
      type="multipart/alternative"
MIME-Version: 1.0
0
 
uescompCommented:
Depends on which blacklists you are on.  If you were listed on spamhaus you definetly had a virus.  The emails will stop relaying because the virus has been handled so exchange should calm down.  If your comfortable that you removed the virus then start delisting yourself from the blacklists.  Once those clear up you should be ok.

I would also strongly advise your users to not open zipped attatchments sent from USPS, UPS, BBB.org, all that jazz.  If it is a problem then you should look for an external mail filter like mailmax or something.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now