SYMPTOMS
- Web mail keeps prompting for Windows
authentication, IME passwords being lost and/or SMTP service running slowly
and mail backing up
- When accessing web mail in a browser you are
prompted for Windows authentication credentials. The anonymous user
(IME_USER) (IME_ADMIN) do not have permission to access the web mail
folders.
- After running MEInstaller.exe
(Start->Run->MEInstaller.exe) and executing option number 2 and/or 3 web
mail starts to work but after an undetermined amount of time the passwords are
lost and again the Windows passwords are required.
- In the Event logs you have an error similar to the
following:
The MailEnable SMTP
Relay Service service terminated unexpectedly. It has done this XXXXX time(s).
The following corrective action will be taken in 3000 milliseconds: Restart the
service.
- The SMTP service is running slowly and mail in outbound queues is
being processed very slowly.
CAUSE
The service mentioned
above from the event log is a virus Trojan that names itself as the
"MailEnable SMTP Relay Service" (trying to pose as a MailEnable service).
If you have Norton (and possibly another AV
solutions) it should pick up the virus as rdriv.sys, the virus appears to
use a caching kit to conceal it's location.
The service tries to send mail out of the server this
has the effect of slowing down mail throughput and utilizes higher than normal
CPU making the queues backup on high volume servers. It also removes some
permissions on the MailEnable IME_ADMIN and IME_USER accounts or changes/removes
the passwords, the effect of this is the web mail web sites stop
working.
SOLUTION
If
you have not patched your server with current hotfixes, then it is possible
that someone has exploited an unpatched version of the SMTP connector.
(MailEnable sends out notifications of patches through the update list on the
MailEnable home page, the rss feed, etc.
You should upgrade
to the current release as soon as possible.
To remove the virus
please follow these directions supplied by HiVelocity
Hosting;
First thing you
should do is go to Administrative Tools and then Services. Scroll down and find
MailEnable's services and look for the one called \"MailEnable SMTP Relay
Service\". (If you don't have it, you are probably not infected by this virus).
If you do have it, right click on it, go to Properties and choose
Disabled as the Startup option. [Click OK]
Open Task Manager.
Find the service called "mesmtpsvc.exe", right click on it and End Process.
Then open Windows
Explorer and navigate to C:\WINDOWS\System32. Look for the following
files:
a.exe
bot.exe
bw.exe
gethashes.exe
getsyskey.exe
nc.exe
rdriv.sys
start.bat
Delete them by selecting the files,
holding down the Shift key and pressing the Delete button on your keyboard.
Then go to C:\WINDOWS and make
sure "mesmtpsvc.exe" is not present - if it is, delete it. Open
up Windows Registry (Start -> Run -> regedit).
Go to Edit ->
Search for rdriv.sys and then for start.bat. Make sure to remove any and
all references to these two from the Registry.
Download the latest version of MailEnable
from http://www.mailenable.com/download.asp
and just run the installer as if you would with any Windows application. Don't
change any of the settings, leave it as-is. Reboot the server and double check
if those .exe files are present again. If you did not remove start.bat, you are
likely to get infected again