Customers have been asking about how to best defend against the new e-mail virus Worm:Win32/VB.WF. This virus uses a link in the message body that looks like a link to a PDF file but is actually a link to a *.scr file. When you click the link, it begins sending e-mails using the GAL or contacts. (Information about the virus can be found on the Microsoft Malware Protection Center.)

If you are using the Cloudmark antispam engine in Forefront Protection 2010 for Exchange Server (FPE) or Antigen 9.2 AND your engine updates are up-to-date, your environment should be protected from this virus. If you are using Forefront Security for Exchange Server (FSE) or are not using the antispam features in FPE or Antigen, you can block these virus e-mails in several ways:

1.       During the Transport scan (Messages in Transport):

·      Subject line filtering on FPE (FSE doesn’t provide subject line filtering on the Transport Scan Job. This also assumes the messages do not contain an AV stamp.) The subject line of the e-mail is typically Here you have”. You should create a subject line filter to block/delete messages using this subject line.

·      Exchange Transport rules. You can use Exchange transport rules to block messages based on their subject line.

2.       During the Mailbox scan (Messages in transit at the Store level via the Realtime scan job as well as cleaning up what’s already in the Store via the Scheduled scan job.)

·         Use FPE and/or FSE Realtime and Scheduled Scan subject line filters.

·         Use the Exchange PowerShell command: Get-TransportServer | Get-Queue | get-message | where{$_.MessageSubject -eq "Here you have"} | remove-message

For more information about using subject line filtering to stop this worm, please refer to this TechNet wiki article:

http://social.technet.microsoft.com/wiki/contents/articles/worm-win32-vb-wf-email-virus-defending-with-forefront-security-forefront-protection-antigen.aspx

Note: If you are using FPE, be sure to disable the “Scan only messages with attachments” option, which is enabled by default, so that it will actually scan and remove these e-mails as they do not contain attachments and will be overlooked if this option is not disabled.  You should also be aware of the “Scan only messages received in the last” configuration if you plan on running these scans this weekend.  By default, the Scheduled scan will only scan messages received within the past 2 days and may miss these messages depending on when you run or schedule the scan.

Michel LaFantano
BPSG iX