Protect users on Exchange against Worm:Win32/Visal.B

Worm:Win32/Visal.B is a new worm that spreads to other computers on a network and is out in wild as of last week. This worm usually comes to your network/computer via user’s email, as this worm is received as email message with attachment. The message contains a link to the worm hosted on a remote server as well could be attached PDF file. The file icon resembles a PDF document to maximize the chance of execution. The worm attempts to download arbitrary files and create a full-access share on the local computer as “updates”.

To protect your network and users you can simply create a transport rule on MS Exchange server 2007 and filter out any messages with key words,subject and simply strip/delete the messages on the border edge of your network. To create the transport rule you can use the Power Shell script or simply use the Ms Exchange management console.

  1. Go to Organization Configuration Hub Transport > Transport Rules – click New Transport Rule
  2. On the Introduction page, type a name and optionally enter description for the rule so you or anybody else has idea latter what the rule suppose to do
  3. On the Conditions page, select when the Subject field or message body contains specific words condition
  4. In the rule description, click specific words and enter this string (see picture for the string)
  5. On the Action page, select  Silently Drop the message (this is on Exchange 2007) action
  6. On the Exception page — no need to apply any exceptions as this is strictly related to the message with infected file just click NEXT, once your are satisfy with the rule and the overview click Finish to create the rule on your MS Exchange 2007 server.

Transport Rule

Once the rule is created and applied to your server any emails with these strings received will be silently deleted/dropped from your email system and this way you just created extra layer of protection for your network and users.

Created Rule

More info on the worm:

Leave a Reply