Solved

Malware or Virus

Posted on 2013-06-05
5
827 Views
Last Modified: 2013-06-06
Hello Experts, yesterday we had a user open an email on her computer that had no antivirus and she also opened an attachment (you know where this is going) since then i have been getting complaints from my users stating that there emails are bouncing back externally, now it seems to have gotten worse as i am currently unable to even connect to exchange could this malware have really done all of this and if so how should i fix it, i tried using trend micro to find the bug but trend micro seems to be freezing up as im scanning the server, i need to know some methods for me to resolve this issue.
0
Comment
Question by:wildasIwanabe
  • 3
  • 2
5 Comments
 

Author Comment

by:wildasIwanabe
Comment Utility
Also no one is able to recieve emails anymore and when they send an email they get a bounce back saying that my external address 208.88.111.186 is blacklisted, i cleaned what i could and unlisted it ever since then it seemed to have gotten worse could of this have happend in one day?....what do you guys recommend
0
 

Author Comment

by:wildasIwanabe
Comment Utility
i also have two headers from the emails that bounced back

Delivery has failed to these recipients or distribution lists:

cdasilva1@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam18.c0.bise6.blackberry.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

cdasilva1@bell.blackberry.net
antispam18.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;CdaSilva@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Tue, 4 Jun 2013 13:01:54 -0400
From: Tony Sugrim <TSugrim@genrep.com>
To: Carlos da Silva <CdaSilva@genrep.com>
Content-Class: urn:content-classes:message
Date: Tue, 4 Jun 2013 13:01:52 -0400
Subject: RE: Undeliverable emails
Thread-Topic: Undeliverable emails
Thread-Index: Ac5hRLCFHIHjxKu8RgGceiRKHPbo+wAAIGqA
Message-ID: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C76@GENREPMISS.headoffice.local>
References: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C75@GENREPMISS.headoffice.local>
In-Reply-To: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C75@GENREPMISS.headoffice.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
      boundary="_005_B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C76GENREPMISShea_";
      type="multipart/alternative"
MIME-Version: 1.0



--------------------------------------------------------------------------------------------------------------------------------------------

From: Microsoft Exchange
Sent: Wednesday, June 05, 2013 8:40 AM
To: Tamara Da Silva
Subject: Undeliverable: Sales Call Logs
Importance: High

Delivery has failed to these recipients or distribution lists:

thomasbrown@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam10.c0.bise6.blackberry.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

thomasbrown@bell.blackberry.net
antispam10.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;TBrown@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by
 GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Wed,
 5 Jun 2013 08:39:30 -0400
From: Tamara Da Silva <TDaSilva@genrep.com>
To: Andre Forcier <aforcier@genrep.com>, Kennth Olesen <KOlesen@genrep.com>,
      Thomas Brown <TBrown@genrep.com>, Denis Gougeon <dgougeon@genrep.com>
CC: Jay da Silva <jay@genrep.com>
Importance: high
X-Priority: 1
Date: Wed, 5 Jun 2013 08:39:28 -0400
Subject: Sales Call Logs
Thread-Topic: Sales Call Logs
Thread-Index: Ac5h6bgMRxXflmfhQqKov0Awg7XCag==
Message-ID: <B91DF9842A98E049A3AF0381D3036F2D7E278B184F@GENREPMISS.headoffice.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative;
      boundary="_000_B91DF9842A98E049A3AF0381D3036F2D7E278B184FGENREPMISShea_"
MIME-Version: 1.0
0
 
LVL 16

Accepted Solution

by:
uescomp earned 500 total points
Comment Utility
Yes if its a worm that managed to infect your file shares.  I would recommend jumping on that pc and running some good scans.

I usually run these in this order.

tdsskiller
roguekiller
adwcleaner
combofix
malwarebytes

You can find most of them at:  http://www.bleepingcomputer.com/download/windows/

Malwarebytes can be found here:  www.malwarebytes.org

Hopefully it did not infect any other system or worse one of the servers.  I would disconnect that system from the network.  What it is probably doing is flooding exchange with spam and thats why your blacklisted because you have a virus that is spamming.  This of course would hose up exchange for exchange is most likely sending and recieving bouncebacks at a very high volume so it is just very busy.
0
 

Author Closing Comment

by:wildasIwanabe
Comment Utility
uescomp thanks for your information how would i go by getting on to the exchange server and clearing the up any discrepencies? also everything worked and the users are able to recieve emails and send out again! thank you, now the users emails are forwarded to there blackberry and whenever anything is sent to their BB the user sending gets this error along with the header...

----------------------------------------------------------------------------------------------------------------------------------------------

Delivery has failed to these recipients or distribution lists:

dpoyntz@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam17.c0.bise6.blackberry.


Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

lsilva@bell.blackberry.net
antispam4.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;LSilva@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Thu, 6 Jun 2013 11:33:16 -0400
From: Tony Sugrim <TSugrim@genrep.com>
To: Larry Silva <LSilva@genrep.com>
Content-Class: urn:content-classes:message
Date: Thu, 6 Jun 2013 11:33:11 -0400
Subject: Test
Thread-Topic: Test
Thread-Index: Ac5iyymU6GF8+PxZQF6TwA+z9sXBgA==
Message-ID: <6mdk3jrl0u4k8qwky8s8gjkr.1370532788716@email.android.com>
Reply-To: Tony Sugrim <TSugrim@genrep.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
      boundary="_004_6mdk3jrl0u4k8qwky8s8gjkr1370532788716emailandroidcom_";
      type="multipart/alternative"
MIME-Version: 1.0
0
 
LVL 16

Expert Comment

by:uescomp
Comment Utility
Depends on which blacklists you are on.  If you were listed on spamhaus you definetly had a virus.  The emails will stop relaying because the virus has been handled so exchange should calm down.  If your comfortable that you removed the virus then start delisting yourself from the blacklists.  Once those clear up you should be ok.

I would also strongly advise your users to not open zipped attatchments sent from USPS, UPS, BBB.org, all that jazz.  If it is a problem then you should look for an external mail filter like mailmax or something.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now