The AnnaKournikova virus recently attacked my company’s computer system. We thought that running Symantec antivirus software on all the servers (including the Exchange server) and workstations would fully protect us, but we were mistaken. Even with the most recent virus definitions, our system was vulnerable. While nothing will ever provide complete protection, I did learn several handy tricks that users of Symantec antivirus software can utilize to isolate and clean an infected Exchange system. Read on to find out if these methods can help protect your organization.

The outbreak
It started one morning when my boss asked me to look at several strange e-mails that our CFO had received. Each of the 10 suspect e-mails appeared to include a JPG file. On closer examination, I found that these JPG files actually had VBS extensions. At that point, alarm bells started ringing in my head, and I advised my manager to delete the e-mails and forward just one to me for further analysis.

I returned to my desk to take a closer look at the suspicious attachment named AnnaKournikova.jpg.vbs. Being fully aware of the dangers of VBS attachments, I handled it carefully and attempted to move it to another folder. It was at this point that I noticed that my Outbox was flashing on and off.

I knew instantly that this “Melissa”-type virus was propagating itself, and I immediately detached the network cable from my workstation. I advised my manager about the situation and immediately sent an e-mail to everyone on the Global Address List advising them not to open any e-mails from me containing attachments.

Multipronged approach
My first priority was to prevent any new infected e-mails from entering my system. With a little digging on Symantec’s Web site, I located instructions on how to set up attachment-blocking by extension or filename on an Exchange server. This method required editing the server’s registry, which I did immediately. Figure A shows the particular registry key. To ensure that the new settings took effect, I then ran NaveUpdate.exe, which can be found in the directory where Norton AntiVirus for Microsoft Exchange (NAVMSE) is installed.

Figure A
Warning: Using the Windows Registry Editor incorrectly can cause serious problems requiring the reinstallation of your operating system. TechRepublic does not and will not support problems that arise from editing your registry. Use the Registry Editor and these directions at your own risk.

Next, I shut down the Internet Mail Service on the Exchange gateway, preventing any further e-mail from entering or leaving our domain. I then started a Symantec antivirus sweep of all domain mailboxes. The domain scan turned up a lot of infected e-mails, and I advised users to close their e-mail software to prevent the virus from spreading further.

When the domain scan finished, it had found and removed over 2,800 instances of the virus. With the sweep complete, I reactivated the Internet Mail Service. Only three more instances of the virus were found during our regularly scheduled scan that night, and we were satisfied the outbreak had been contained.

Lessons learned
We were very lucky that the initial recipient of the virus did not simply open it. Thanks to this cautious user, we were better able to contain the outbreak. This incident also illustrated the importance of having a multipronged antivirus strategy. By using both server and workstation antivirus software, we were able to cleanse both levels of our network. Using the registry hack and disabling the Internet Mail Service ensured no new infections while we cleaned the existing viruses. Using all these methods together allowed us to quickly and effectively deal with this outbreak.

What’s your strategy?

What do you think of the way David handled this virus? How do you handle virus outbreaks in your organization? What steps are you taking to protect your e-mail systems from potentially harmful attachments? Post a comment or write to David Williams.