Exchange 5.5 w32.Sober.X@mm

Is there any way I can find out the IP of the PC infected with the 
Sober.X@mm. I kept receiving tons of e-mail from NAV for Exchange about 
e-mail infected with the worm.  

Thanks,

Ismael
0
Ismael (9)
11/23/2005 1:47:01 AM
exchange.admin 57650 articles. 2 followers. Follow

4 Replies
549 Views

Similar Articles

[PageSpeed] 18

Hi Ismael,

"Ismael" <Ismael@discussions.microsoft.com> wrote in message 
news:034EC4EE-2CA3-420A-84BB-DC74271A9973@microsoft.com...
> Is there any way I can find out the IP of the PC infected with the
> Sober.X@mm. I kept receiving tons of e-mail from NAV for Exchange about
> e-mail infected with the worm.

be sure, that the Source of the Emails is inside you network. You may use 
the Message Tracking Center in Exchange Systemmanager to do this.

These worms normally cause high senseless SMTP Traffic. You should see this 
easily with a network sniffer like ethereal.
http://www.ethereal.com/distribution/win32/

Symantec is offering a removal Tool. Depending on your amount of clients, 
you may install it on every client.
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html

cheers,
Andy 


0
andy.rath (135)
11/23/2005 10:06:07 AM
Andy, thank you so much for your reply.  The infection is inside our network 
and I already found 2 machine infected with the worm. I end up writing a 
script that search every machine in our domain for the virus signature in the 
winnt\system32 directory. I will try ethereal, it looks like a good tool.

"Andy Rath" wrote:

> Hi Ismael,
> 
> "Ismael" <Ismael@discussions.microsoft.com> wrote in message 
> news:034EC4EE-2CA3-420A-84BB-DC74271A9973@microsoft.com...
> > Is there any way I can find out the IP of the PC infected with the
> > Sober.X@mm. I kept receiving tons of e-mail from NAV for Exchange about
> > e-mail infected with the worm.
> 
> be sure, that the Source of the Emails is inside you network. You may use 
> the Message Tracking Center in Exchange Systemmanager to do this.
> 
> These worms normally cause high senseless SMTP Traffic. You should see this 
> easily with a network sniffer like ethereal.
> http://www.ethereal.com/distribution/win32/
> 
> Symantec is offering a removal Tool. Depending on your amount of clients, 
> you may install it on every client.
> http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html
> 
> cheers,
> Andy 
> 
> 
> 
0
Ismael (9)
11/23/2005 9:17:07 PM
"Ismael" <Ismael@discussions.microsoft.com> wrote in message 
news:BFF48E4D-80F3-4F67-8B27-A006CDA69731@microsoft.com...
> Andy, thank you so much for your reply.  The infection is inside our 
> network
> and I already found 2 machine infected with the worm. I end up writing a
> script that search every machine in our domain for the virus signature in 
> the
> winnt\system32 directory. I will try ethereal, it looks like a good tool.

it is ;-)

cheers,
Andy

> "Andy Rath" wrote:
>
>> Hi Ismael,
>>
>> "Ismael" <Ismael@discussions.microsoft.com> wrote in message
>> news:034EC4EE-2CA3-420A-84BB-DC74271A9973@microsoft.com...
>> > Is there any way I can find out the IP of the PC infected with the
>> > Sober.X@mm. I kept receiving tons of e-mail from NAV for Exchange about
>> > e-mail infected with the worm.
>>
>> be sure, that the Source of the Emails is inside you network. You may use
>> the Message Tracking Center in Exchange Systemmanager to do this.
>>
>> These worms normally cause high senseless SMTP Traffic. You should see 
>> this
>> easily with a network sniffer like ethereal.
>> http://www.ethereal.com/distribution/win32/
>>
>> Symantec is offering a removal Tool. Depending on your amount of clients,
>> you may install it on every client.
>> http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html
>>
>> cheers,
>> Andy
>>
>>
>> 


0
andy.rath (135)
11/24/2005 12:07:16 PM
Don't you use anti-virus software?


Andy Rath wrote:
> "Ismael" <Ismael@discussions.microsoft.com> wrote in message
> news:BFF48E4D-80F3-4F67-8B27-A006CDA69731@microsoft.com...
> > Andy, thank you so much for your reply.  The infection is inside our
> > network
> > and I already found 2 machine infected with the worm. I end up writing a
> > script that search every machine in our domain for the virus signature in
> > the
> > winnt\system32 directory. I will try ethereal, it looks like a good tool.
>
> it is ;-)
>
> cheers,
> Andy
>
> > "Andy Rath" wrote:
> >
> >> Hi Ismael,
> >>
> >> "Ismael" <Ismael@discussions.microsoft.com> wrote in message
> >> news:034EC4EE-2CA3-420A-84BB-DC74271A9973@microsoft.com...
> >> > Is there any way I can find out the IP of the PC infected with the
> >> > Sober.X@mm. I kept receiving tons of e-mail from NAV for Exchange about
> >> > e-mail infected with the worm.
> >>
> >> be sure, that the Source of the Emails is inside you network. You may use
> >> the Message Tracking Center in Exchange Systemmanager to do this.
> >>
> >> These worms normally cause high senseless SMTP Traffic. You should see
> >> this
> >> easily with a network sniffer like ethereal.
> >> http://www.ethereal.com/distribution/win32/
> >>
> >> Symantec is offering a removal Tool. Depending on your amount of clients,
> >> you may install it on every client.
> >> http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.removal.tool.html
> >>
> >> cheers,
> >> Andy
> >>
> >>
> >>

0
bjorgenson (31)
11/29/2005 3:31:07 PM
Reply:

Similar Artilces:

Can't send email in OL 2003 in Cached Exchange Mode after E2K cras
I would appreciate any help I can get to resolve a problem that arose after our Exchange 2000 Server SP3 server crashed last week. Any attempt to send an email using Outlook 2003 running in Cached Exchange Mode from any mailbox results in the following NDR being received: ===================================================== From: System Administrator Sent: Wednesday, 18 January 2006 12:18 PM To: 'echo@mimesweeper.com' Subject: Undeliverable: Test message. Your message did not reach some or all of the intended recipients. Subject: Test message. Sent: 18/01/2006 12...

message size #5
All of the sudden my users are getting the following message when they send attachments larger than 10 mb. sending in Global settings - Message Delivery - Default Sending messages size check in Maximum (KB) to 30000 Receiving messages size check in Maximum (KB) to 30000 and all my user under Exchange General - Delivery Restrictions Sending messages size check in Use default limit Receiving messages size check in Use default limit then I tried to change the user (on a couple of users) settings to Sending messages size check in Maximum (KB) to 500000 Receiving messages size check in Maximum ...

Error: "Unable to open your default e-mail folders. The microsoft exchange server is unavailable"
Hi: I have a user on our exchange 2003 sp1 system who is receiving the above error when trying to connect to his mailbox. He is able to connect in OWA. I gave myself rights on his mailbox and set up a new profile on my machine (xp, office 2003) and connected fine. I then logged in as his account on my machine, set up a profile and tried to open outlook and received the error above. Any ideas. Not seeing this exact error on the microsoft site or google groups. ...

Exchange 2010 Archive feature
I am trying to understand what the significant of the new Archiving feature in Exchange 2010? if the archive mailbox is located in the same database as the users mailbox, then how does this improve storage capacity or performance of Exchange? Is this feature more about keeping the users inbox clean? On Wed, 17 Mar 2010 15:59:05 -0700, "sawyer" <occompguy@cox.net> wrote: >I am trying to understand what the significant of the new Archiving feature >in Exchange 2010? if the archive mailbox is located in the same database as >the users mailbox, then ho...

Exchange 2003 #26
I have two windows 2003 servers on of them has exchange 2003 running on it. How do I get the other server to display the exchange tabs when I open the properties page for a user and add the mail box when creating a new user? Thanks much. You could create a custom MMC >-----Original Message----- >I have two windows 2003 servers on of them has exchange >2003 running on it. How do I get the other server to >display the exchange tabs when I open the properties page >for a user and add the mail box when creating a new user? > >Thanks much. >. > You must install ...

Moving Exchange 5.5 #3
We currently have W2K3 domain with external 2-way trust with NT4 domain where Exchange 5.5 is located. I'd lik to move my Exchange to the new server W2K member of the W2K3 domain. During the change I'd like to change also the organization and site name. Does anyboby have any information on how can easily do this without any client reconfiguration? Thanks TagaR On Tue, 25 Jan 2005 09:31:06 -0800, "TagaR" <TagaR@discussions.microsoft.com> wrote: >We currently have W2K3 domain with external 2-way trust with NT4 domain where >Exchange 5.5 is located. I'd l...

Forward Mail with Unresolved Recipients to a Single Mailbox (Exchange 5.5.2650.21)
How can I remove forwarding of all the email with unresolved recipients to the administrator? TNX Hi Joe, You can customize which NDRs you receive in the IMS Admin mailbox by going to the properties of the IMS, Internet Mail tab and clicking on customize. The server will still send NDRs regardless of this setting, but will not copy the admin. -- hth, SusanV <joe@unknown.org> wrote in message news:k6r120lul35vr88r9lt8ena4003u39b3re@4ax.com... > > > How can I remove forwarding of all the email with unresolved > recipients to the administrator? > > TNX Il Wed, 4 F...

Connect to Exchange Server through outlook over the internet?
Hello, I am trying to connect to an exchange web server using the normal version of Outlook 2003. I cannot seem to do that even though I set it up to connect to the web server in the setting. What do I need to do on either the exchange server or in my Outlook in order to make this connection? Thank you very much. What method are you using to connect to work remotely, VPN? What method is supported by your company? Your IT department would have all the pertinent information and be able to assist you with this. -- Kathleen Orland - MVP Outlook Outlook Tips: http://www.outlook-tips.net/ ...

spelling #5
how do i add spelling to my outlook expresss ? can some one help me plz ! Try posting this in an Outlook Express news group - this is not one of them. Outlook is a part of Microsoft Office and is what this group supports. Outlook Express is a part of Internet Explorer and has its own news groups. You can also find some good Outlook Express information here: http://insideoe.tomsterdam.com --� Milly Staples [MVP - Outlook] Post all replies to the group to keep the discussion intact. All unsolicited mail sent to my personal account will be deleted without reading. After furious head scr...

Exchange certificate error outlook 2007
We installed a GOdaddy SSL certificate on our exchange 2007 server. On our outlook 2007 clients we are getting an outlook 2007 certificate error. It looks like its pointing to our firewall (see attached file) The error : This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store. We follewed instructions on how to install the certificate from digicert.com. I assume these are correct. We also checked out this blog http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ I'm wondering why the certificate is po...

Incorrect mailbox size reporting Exchange 2003 SP1
Hello, we are facing a little problem with one mailbox on Exchange 2003sp1 the user reached the mailbox size limit and received the messages. however, after deleting mail (and cleaning deleted items), the mailbox size is still showing 300 mb, even though the actual size in outlook is 5 mb. for other mailboxes, it is immediate, both when size increases or decreases. the only mails left are the dumpster, but it shouldn't count on mailbox quota. Does Anybody know what i could check ? I know i can recreate another mailbox and transfer mails, but i hope there is a more 'elegant' solu...

How to disconect exchange 5.5 and Midle server from Exchange 2003 Cluster.
I'm running a clustered Echange2003 and just completed the migration from Exchange 5.5. Anyone got any info on how to disconnect old exchange and the Exchange server that was acting as a gateway for replication while I was doing migration. ...

Adding Toronto Exchange to watch list
I've just re-installed Money 03 and now I need to add the Toronto Stock Exchange (TSX) to my "Investment Watch List". It's not listed in the list of exchanges. Can someone help? Thanks Is there anyone out there that can answer this for me??? Anyone??? On Fri, 12 Sep 2003 16:12:05 -0400, Steve P <Steve25261@comcast.net> wrote: >I've just re-installed Money 03 and now I need to add the Toronto >Stock Exchange (TSX) to my "Investment Watch List". It's not listed >in the list of exchanges. > >Can someone help? > >Thanks In ...

Exchane 5.5 IMC Naming
I need to change the FQDN display name on a 5.5 Exchange IMC. Currently the server displays netbiosname.localdomain, where it should read the FQDN of the server. I've searched the registry and misc. config files in the Exchange directory to no avail. In Exchange 2K + you can set this in the server SMTP config. However there is no place to set this in 5.5. Any ideas? Thanks for the help. We ran into a similar issue. We found our options to be either configure our reverse lookup records to our internal namespace or change the domain suffix of the smtp machine. We ended up changing ...

lookup formula #5
I am trying to come up with a formula that looks up an order number (eg 2013864) on a list on another sheet (2)and then returns all the listings corresponding to that number eg: Sheet 2 Order No.s Details 2013864 red 2013864 blue 2013864 green 2013865 red 2013865 green 2013864 black Sheet 1 2013864 (this is where I enter number to be looked up) red ( details that ) blue (correspond to) green ( order No ) Regards gregorK The easiest way to go i...

Exchange 2003 and Digital Certificates
Does anyone know where to find the HOW TOs on: Install/configure Digital Certificates for or on Exchange 2003? We are currently setup with Windows 2003 AD and Exchange 2003 and we want not only Exchange 2003 but all of the servers and/or documents using some form of digital certificate or PKI. Thanks in Advance and any help is greatly appreciated Please check the following article: 823568 HOW TO: Configure Exchange Server 2003 OWA to Use S/MIME http://support.microsoft.com/?id=823568 -- Jeremiah Waldon Jr. Microsoft PSS Please do not send email directly to this alias. This alias is ...

IMF on Exchange 2003 SP1 not working
After a disaster recovery, IMF doesn't appear to be working. I removed it through add/remove programs and reinstalled. It didn't appear to create the UCE folder. Which UCE folder? Do you mean the archive folder? Can you check performance counters - are any messages being scanned by IMF? It the Total Messages Acted Upon counter increasing? Are you getting any messages with SCLs above your gateway threshold? Is the action set to Archive? -- Bharat Suneja MCSE, MCT www.zenprise.com blog: www.suneja.com/blog ----------------------------------------- "brad306" <bk@...

receipt printing #5
How do I print a receipt prior to tendering? I know that you can create a Quote and then print, but what a mess. ...

Connecting Outlook to Exchange
Hi, I've got a new laptop, I need to connect it to the office's Exchange Server using RPC over the internet. When I select Add exchange account, do I just type in the name of my exchange server? Because when I do this, it tries to look for the domain and won't let me connect to Exchange because I'm not connected to the LAN. I know I can configure it to use RPC, but it won't let me get into the options to set this up.... Can this be done? Cheers Tristan ...

Creating forwarding rule in Exchange
Exchange 2003 SP2 If I have user fee@domain.com receiving email at address fee@domain.com, is it possible to create a rule in Exchange that does this: All emails from user@outsidedomain.com that go to fee@domain.com should be forwarded to foo@domain.com If it is possible, and I do not have a domain user named foo, would I have to create one or simply create a contact in order for the mailbox to be created? 1. You need some recipient to have the email address fee@domain.com 2. No native facility to selectively forward mail from a particular smtp address only. You could either do it usi...

Please help with Exchange 2003 SMTP Connector
I'm trying to create an SMTP Connector in Exchange Server 2003, to have our company's email sent out (Internet/External emails) to a specific mail forwarder server (the "specific" server is our ISP/Firewall provider server). But I'm having problems understanding how to set this up properly with our Exchange 2003 Server, I know I have to create a new SMTP Connector but not sure what settings to make. Could someone please help me with this. Thanks William On Thu, 25 Feb 2010 22:41:39 -0500, "Bill" <wstyler@verizon.net> wrote: >I&...

Exchange 2003 Offline Defrag
Hi, Wondered if someone could confirm exactly how much space is require on the hard drive to perform an offline defrag of the private database. I'm told it's 110% of the combined size of the priv1.edb and priv1.stm files? If this is the case I'm going to be cutting it pretty fine on our server and wondered I go ahead and run it will it simply error at the begining that there's not enough space? I don't want to start it, wait for hours and then get a message saying failed..... TIA Rick On Wed, 4 May 2005 16:26:04 +0100, "rp" <rpurse#hotmailrubbis...

problem with deleting items via OWA on Vista
Good afternoon! We are working on a big project and I have heard from my colleagues that a couple of users are having problems when attempting to delete e-mails when using OWA. Now, unfortunately this is all I know. The colleague who has heard directly from the client is not available for the next several hours. Here is what I do know: Server-side: Exchange Server 2003 SP2 fully patched - did this myself Windows Server 2003 R2 fully patched Two different OUs (CORPORATE Users and KIOSK Users) - did this myself Two different Mailbox Stores (Corporate and KIOSK) - did this myself Differ...

CRM 4.0
Hi How does one configure a WF Local Service / Data Exchange Service in CRM 4.0? In a custom WF host I can accomplish this by specifying the service in the host application's configuration file. Is this approach possible with CRM 4.0? I understand that the workflow runtime is hosted by the CRM Asynchronous Service, and I have been able to register custom WF Activity as detailed in the CRM SDK documentation. However I can find no references to registering / configuring a local service. Any help much appreciated! Regards, Gareth On Oct 23, 1:38=A0pm, rgdav...@gmail.com wrote: > H...

convert dd/mm/yy hh:mm AM IST
25/01/10 04:39 AM IST I want to write a function which will compare the timing given in format mentioned above with 04:10 pm or 16:10 hrs and highlight if current time is more that 16:10. Please help me with appropriate formula. You'll need to trim the " IST" off the end, then hopefully you can get Excel to recognise the rest as a real Excel date and time and do the usual Excel processing. =MOD(cellref,1) will trim off the date and leave the time. -- David Biddulph Rajesh Palande wrote: > 25/01/10 04:39 AM IST > I want to write a function which will compa...