Ping a Specific Port

Question

Campo

Asked: 2010-07-09 05:59:45 +0800 CST2010-07-09 05:59:45 +0800 CST 2010-07-09 05:59:45 +0800 CST

Exchange Server Queue Infested

772

I recently upgraded the company to AVG Business. It works great and really helps with spam. I noticed that our exchange server Queue about every ten minutes gets an infection. Two issues:

I cannot clear the infections without a restart which takes down email for about 30 minutes. (unacceptable) I understand it is because the files are not accessible but where are they all coming from?
Is this a BOT on our network or is this incoming mail?

Finally should I even be concerned about this? I feel this could be a spam bot on our network.

Scanned object                                                                          Infection                           State                           Detection time           Object type              Process 

c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\e0312449-cd97-45ea-8274-1b9f9a44e1eb  Virus found JS/Obfuscated   Moved to Virus Vault    2010-07-07 13:21:20     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\e0312449-cd97-45ea-8274-1b9f9a44e1eb  Virus found JS/Obfuscated   Object is inaccessible.     2010-07-07 13:38:19     file    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\e0312449-cd97-45ea-8274-1b9f9a44e1eb  Virus found JS/Obfuscated   Object is inaccessible.     2010-07-07 13:38:12     file    C:\WINDOWS\Explorer.EXE
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\e59d5870-81b2-4c56-b330-ec4e9ebbe9bc  Virus found JS/Obfuscated   Moved to Virus Vault    2010-07-07 13:21:20     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ebfafd55-5a91-4786-9827-9a8dfe3b8884  Virus found JS/Obfuscated   Moved to Virus Vault    2010-07-07 13:21:20     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ed35ea91-f4b3-4139-8c82-81cdc14ab6ca  Virus found JS/Dropper  Moved to Virus Vault    2010-07-07 13:21:21     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ef25b8d0-c327-458f-a7db-39e0579c0398  Virus found JS/Dropper  Moved to Virus Vault    2010-07-07 13:21:21     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\fc76582c-f1d1-483d-8a62-910e2a10e054  Virus found JS/Obfuscated   Moved to Virus Vault    2010-07-07 13:21:21     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 13:21:28     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 12:42:31     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 13:02:46     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 12:28:30     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 13:11:20     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 13:23:44     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e3ae89401cb1ddd00006f44.EML     Virus found JS/Dropper  Reboot is required to finish the action     2010-07-07 10:04:38     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e3ae89401cb1ddd00006f44.EML     Virus found JS/Dropper  Reboot is required to finish the action     2010-07-07 10:03:33     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e3ae89401cb1ddd00006f44.EML     Virus found JS/Dropper  Infected    2010-07-07 11:44:34     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:56:59     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:25:44     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:09:52     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:24:49     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:45:53     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:08:35     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:32:58     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:16:11     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:15:49     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:06:17     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:06:30     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:31:44     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:58:31     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:06:32     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:30:30     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:07:36     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:07:13     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:05:25     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:05:59     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:42:03     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:48:29     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 03:14:49     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:47:24     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:04:39     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:03:15     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:03:21     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:28:25     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:11:11     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:36:12     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:37:59     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:21:40     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:52:02     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:32:04     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:16:18     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:53:37     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 03:33:01     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 03:03:47     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 03:24:54     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 04:26:40     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:43:13     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:31:32     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:00:37     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:51:02     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:31:28     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:23:08     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:22:00     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:12:26     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:03:57     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:54:22     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:45:51     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:35:51     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe

UPDATE: I have not properly Installed AVG Business Internet Security 9.0 on my Windows Server 2003 R2 with Exchange 2003. Seems like it needs to be added/Installed to the application Servers section in the admin console. Can anyone shed some light on how to do this?

**FINAL UPDATE

HERE IS AVG reply :)

Dear customer, The file that you had referenced, avg_ipw_stf_all_90_839a2960.exe, is the installation file intended for workstations and file servers.
The file you should be installing on an Exchange server would be the Email Server Edition (file name avg_msw_stf_all_90_839a2960.exe, which comes with plugins for scanning Exchange and Antispam plugins). Please download and deploy the following file to your Exchange server to have it correctly display in the Application Server group: http://download.avg.com/filedir/inst/avg_msw_stf_all_90_839a2960.exe**

1 Answers

Voted

sysadmin1138 · Answer 1 · 2010-07-09T06:16:23+08:00

Best Answer

sysadmin1138

2010-07-09T06:16:23+08:002010-07-09T06:16:23+08:00

What you're seeing is incoming mail with viruses attached. These haven't infested Exchange yet, they're designed to infest clients. And it sounds like AVG Business isn't handling it the way it should. It's treating each file like a true infection with an active payload rather than a passive payload. This isn't compatible with Exchange for the most part (also, you don't mention an Exchange version).

Looking at AVG, the product that's supposed to work with Exchange is AVG Internet Security Business Edition 9.0. If that's what you're actually running, you need to reconfigure it to use VSAPI scanning instead of file-level scanning (page 177 of the handy manual). Or if you're on Exchange 2007/2010, the routing Transport scanner.

3

Exchange Server Queue Infested

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?