Solved

Malware or Virus

Posted on 2013-06-05
5
833 Views
Last Modified: 2013-06-06
Hello Experts, yesterday we had a user open an email on her computer that had no antivirus and she also opened an attachment (you know where this is going) since then i have been getting complaints from my users stating that there emails are bouncing back externally, now it seems to have gotten worse as i am currently unable to even connect to exchange could this malware have really done all of this and if so how should i fix it, i tried using trend micro to find the bug but trend micro seems to be freezing up as im scanning the server, i need to know some methods for me to resolve this issue.
0
Comment
Question by:wildasIwanabe
  • 3
  • 2
5 Comments
 

Author Comment

by:wildasIwanabe
ID: 39223632
Also no one is able to recieve emails anymore and when they send an email they get a bounce back saying that my external address 208.88.111.186 is blacklisted, i cleaned what i could and unlisted it ever since then it seemed to have gotten worse could of this have happend in one day?....what do you guys recommend
0
 

Author Comment

by:wildasIwanabe
ID: 39223678
i also have two headers from the emails that bounced back

Delivery has failed to these recipients or distribution lists:

cdasilva1@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam18.c0.bise6.blackberry.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

cdasilva1@bell.blackberry.net
antispam18.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;CdaSilva@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Tue, 4 Jun 2013 13:01:54 -0400
From: Tony Sugrim <TSugrim@genrep.com>
To: Carlos da Silva <CdaSilva@genrep.com>
Content-Class: urn:content-classes:message
Date: Tue, 4 Jun 2013 13:01:52 -0400
Subject: RE: Undeliverable emails
Thread-Topic: Undeliverable emails
Thread-Index: Ac5hRLCFHIHjxKu8RgGceiRKHPbo+wAAIGqA
Message-ID: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C76@GENREPMISS.headoffice.local>
References: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C75@GENREPMISS.headoffice.local>
In-Reply-To: <B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C75@GENREPMISS.headoffice.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
      boundary="_005_B91DF9842A98E049A3AF0381D3036F2D7DFD3B0C76GENREPMISShea_";
      type="multipart/alternative"
MIME-Version: 1.0



--------------------------------------------------------------------------------------------------------------------------------------------

From: Microsoft Exchange
Sent: Wednesday, June 05, 2013 8:40 AM
To: Tamara Da Silva
Subject: Undeliverable: Sales Call Logs
Importance: High

Delivery has failed to these recipients or distribution lists:

thomasbrown@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam10.c0.bise6.blackberry.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

thomasbrown@bell.blackberry.net
antispam10.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;TBrown@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by
 GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Wed,
 5 Jun 2013 08:39:30 -0400
From: Tamara Da Silva <TDaSilva@genrep.com>
To: Andre Forcier <aforcier@genrep.com>, Kennth Olesen <KOlesen@genrep.com>,
      Thomas Brown <TBrown@genrep.com>, Denis Gougeon <dgougeon@genrep.com>
CC: Jay da Silva <jay@genrep.com>
Importance: high
X-Priority: 1
Date: Wed, 5 Jun 2013 08:39:28 -0400
Subject: Sales Call Logs
Thread-Topic: Sales Call Logs
Thread-Index: Ac5h6bgMRxXflmfhQqKov0Awg7XCag==
Message-ID: <B91DF9842A98E049A3AF0381D3036F2D7E278B184F@GENREPMISS.headoffice.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative;
      boundary="_000_B91DF9842A98E049A3AF0381D3036F2D7E278B184FGENREPMISShea_"
MIME-Version: 1.0
0
 
LVL 16

Accepted Solution

by:
uescomp earned 500 total points
ID: 39223695
Yes if its a worm that managed to infect your file shares.  I would recommend jumping on that pc and running some good scans.

I usually run these in this order.

tdsskiller
roguekiller
adwcleaner
combofix
malwarebytes

You can find most of them at:  http://www.bleepingcomputer.com/download/windows/

Malwarebytes can be found here:  www.malwarebytes.org

Hopefully it did not infect any other system or worse one of the servers.  I would disconnect that system from the network.  What it is probably doing is flooding exchange with spam and thats why your blacklisted because you have a virus that is spamming.  This of course would hose up exchange for exchange is most likely sending and recieving bouncebacks at a very high volume so it is just very busy.
0
 

Author Closing Comment

by:wildasIwanabe
ID: 39226238
uescomp thanks for your information how would i go by getting on to the exchange server and clearing the up any discrepencies? also everything worked and the users are able to recieve emails and send out again! thank you, now the users emails are forwarded to there blackberry and whenever anything is sent to their BB the user sending gets this error along with the header...

----------------------------------------------------------------------------------------------------------------------------------------------

Delivery has failed to these recipients or distribution lists:

dpoyntz@bell.blackberry.net
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: antispam17.c0.bise6.blackberry.


Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: GENREPMISS.headoffice.local

lsilva@bell.blackberry.net
antispam4.c0.bise6.blackberry #550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. ##rfc822;LSilva@genrep.com

Original message headers:

Received: from GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2]) by GENREPMISS.headoffice.local ([fe80::be0b:ce33:3ac5:dca2%10]) with mapi; Thu, 6 Jun 2013 11:33:16 -0400
From: Tony Sugrim <TSugrim@genrep.com>
To: Larry Silva <LSilva@genrep.com>
Content-Class: urn:content-classes:message
Date: Thu, 6 Jun 2013 11:33:11 -0400
Subject: Test
Thread-Topic: Test
Thread-Index: Ac5iyymU6GF8+PxZQF6TwA+z9sXBgA==
Message-ID: <6mdk3jrl0u4k8qwky8s8gjkr.1370532788716@email.android.com>
Reply-To: Tony Sugrim <TSugrim@genrep.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
      boundary="_004_6mdk3jrl0u4k8qwky8s8gjkr1370532788716emailandroidcom_";
      type="multipart/alternative"
MIME-Version: 1.0
0
 
LVL 16

Expert Comment

by:uescomp
ID: 39226507
Depends on which blacklists you are on.  If you were listed on spamhaus you definetly had a virus.  The emails will stop relaying because the virus has been handled so exchange should calm down.  If your comfortable that you removed the virus then start delisting yourself from the blacklists.  Once those clear up you should be ok.

I would also strongly advise your users to not open zipped attatchments sent from USPS, UPS, BBB.org, all that jazz.  If it is a problem then you should look for an external mail filter like mailmax or something.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Zepto Ransomware - Decrypt/Restore files 5 261
Do I need additional protection from ransomware? 13 148
Work with App store 7 68
Password reset 1 18
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question