Exchange and Goner worm

Exchange and Goner worm

Post by Buste » Mon, 10 Dec 2001 07:24:05



We were hit by the Goner worm last week and when we brought the Exchange
server back up (V5.0 - I know, but we do intend to upgrade soon) all the
mails generated by the worm before the server was downed are still being
delivered (now blocked by our filter!). But as so many were generated this
is effectively a denial of service. Does anyone know if there is a way of
flushing the queue?

Thanks for any replies.

 
 
 

Exchange and Goner worm

Post by Michael Abbaticchio [MVP » Mon, 10 Dec 2001 11:31:58


Download goner.zip from MS at
ftp://ftppss.microsoft.com/outgoing/mail/w32goner55new.zip  Or, if it is
your ims, where they are queued, bring down your ims manually remove
infected messages manually from the queue directories and restart your ims.

--

regards,
Michael Abbaticchio
http://www.abbaticc.com


Quote:> We were hit by the Goner worm last week and when we brought the Exchange
> server back up (V5.0 - I know, but we do intend to upgrade soon) all the
> mails generated by the worm before the server was downed are still being
> delivered (now blocked by our filter!). But as so many were generated this
> is effectively a denial of service. Does anyone know if there is a way of
> flushing the queue?

> Thanks for any replies.


 
 
 

1. Removing Goner Virus from Exchange Server

We are running Exhcnage 2000 SP2, Windows 2000 Server, and
McAfee GroupShield v5.0 (sigh) for A/V protection.  

Last month, the Goner virus infected 10 PC's on campus -- we were
fortunate to catch this before it got very far but there were
messages in the message store, etc.  Here's what we did:

1)  Removed infected PC's from the network, updated McAfee, ...
2)  Disconnected Exchange server from network and updated Mcafee.
3)  Ran "on-demand" scan to remove infected messages.

The above seemed pretty straightforward and we've double/triple-checked
the infected PC's and everything is clean.

All seems okay -- Except that GroupShield catches periodic messages
(once or twice per day) that supposedly come from those "infected PC's".

We are convinced that these messages are "stuck" somewhere in the
Exchange server and are getting resent.  


to Clean an Exchange Environment (Q314002)" gives a link that says:

"For detailed, specific information about how to clean up your Exchange
organization, download the appropriate zip file by clicking one of the
following links. Exchange 2000 Server and Exchange Server 5.5 have their
own respective packages to download:"

The URL for Exchange 2000 points to says it will "Download
W32goner55new.zip now" but the link is broken.

Any ideas?

Thanks!

Mike

2. Inbound Mail Failure Notification

3. goner fix

4. SaveTo and SaveToFile failed (error 2147467262) - exchange server 2000

5. Red-Worm Patch : Information Store Terminated Unexpectedly

6. Routing problem in Exchange 2k

7. sending emails to old address with the w32.sobig worm

8. Resend fax in Microsoft Exchange

9. SWEN Worm help

10. how to avoid the mass-mailing worm

11. w32.Welchia.worm

12. blaster worm help

13. Shutdown the MSBlaster Worm!