Offical Writeups at the following URLs:

 Microsoft Forefront Products


If you are not a MSAV customer contact your AV vendor and work with them to get samples and definitions!

Action Plan

Exchange Server 2007 / 2010


Depending on the volume of incoming mail you may need to Pause all transport servers so nothing new is coming in

1.       Set a Transport Rule to Delete any incoming messages

GUI - from the EMC

Organization Configuration > Hub Transport > Transport Rules

New Transport Rule

Fill out the rule Name and any necessary comments and leave Enable Rule checked


Conditions: When the Subject field contains specific words "Here You Have"

Actions: silently drop the message

click New to create the rule and restart the Transport service


2.       Delete messages in the queues

 Get-TransportServer | Get-Queue | get-message | where{$_.MessageSubject -eq "Here you have"} | remove-message




Mailbox Cleanup

1.       Export and delete virus messages from mailboxes

Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false

** remember to create the target mailbox "VirusMailbox" first **

** hide this target mailbox from the GAL**


2.       Preventative Measure - Disable MAPI access

Run syntax to remove MAPI access from all mailboxes in that store:

get-mailboxdatabase <name> | get-mailbox | Get-casmailbox

get-mailboxdatabase <name> | get-mailbox | set-casmailbox -mapienabled $FALSE


Then enable each user as their outbox is cleaned out


Exchange Server 2000/2003

1. Use ExMerge to remove the infected emails from mailboxes

2. Clearing queues

Manual:   In E2K3 we can stop the SMTP Service and the do string search in Queue folder for the subject words of virus message, and we can delete it that way.



Some quick and dirty updates.


Export-Mailbox command

You can limit this command by specific folders with the –IncludeFolders option and also if your customer is afraid of deleting legitimate mail you can make use of date restriction to only export mail within a certain date range. Example below


Get-Mailbox -Server Server1 | Export-Mailbox -SubjectKeywords "Here you have" –IncludeFolders “/Inbox” –StartDate “09/08/2010” –EndDate “09/09/2010” -DeleteContent -TargetMailbox VirusMailbox -TargetFolder VirusMsgs -Confirm:$false



There is a tool that can be used to run reports against mailboxes to determine who has a large number of items in their Outbox.   For additional information on this contact Support.


ExMon can be used to determine what user or workstation may be hammering the message store and may need to be taken offline

See the following for instructions on using Exmon to find the offending clients This works with every supported version of Exchange currently available.


Working with Transport – new information

One customer has almost 1.5 million messages so you may need to purge on a queue by queue basis


Get-message -queue "server\queue" | where{$_.Subject -eq "Here you have"} | suspend-message

Get-message -queue "server\queue" | where{$_.Subject -eq "Here you have"} | remove-message


This command only processes 1000 messages at a time so you need to change the “ –ResultSize “ to Unlimited.


If there are other transport rules they may need to be temporarily disabled.  Remember if you are running exchange 2007 PRE-SP3 they will not be able to remove messages from the submission Queue.   Best bet is to pause transport and let the rule do its thing.

Mitigations from an Outlook client perspective:


Warning this WILL break applications that utilize outlook to programmatically send/create messages!!!

Download the Office .adm templates found here

Install the outlk12 template into a GPO applied to an OU where computers are located that you need  mitigate this issue on.

Configure the following setting  User Configuration > Administrative Templates > Classic Administrative Templates > Microsoft Office Outlook 2007 > Security

Select Programmatic Access Security and click Enabled,  for Options select "Always warn me about suspicious activity"  This will force outlook to always prompt when a 3rd party application is attempting to programmatically utilize Outlook.

Changes in the Outlook 2007 Security model that allow programmatic email sending when the Security Center reports AV status that is up to date / running