Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

\EXCHSRVR\imcdata\in\ ???? virus sobig

Status
Not open for further replies.
quell

quell

IS-IT--Management
Nov 8, 2002
363
US
What is this dir used for? The W32.Sobig.A@mm.enc virus keeps popping up in this dir. So far since yesterday around noon its hit over 2000 times and is filling up my logs. I am up to date on my Virus Defs, hotfixs etc..
Does exchange place the email here as a temp dir before sending or receiving the e-mail to the hosts?
Nortons for exchange does not pick it up but regular nortons does. I have 2 on one server. 1 for exchange and 1 for system.
Any ideas?

Here is the alert I get

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Sobig.A@mm.enc
File: E:\EXCHSRVR\imcdata\in\GYST2FJ8
Location: E:\EXCHSRVR\imcdata\in
Computer: USIEXCH
User: Email_Server (account used to dl e-mail)
Action taken: Delete succeeded : Access denied
Date found: Wed Mar 12 08:38:27 2003
 
Sort by date Sort by votes
I have had that problem at three differnent customers of mine. It went on for about a week or so. As long as your NAV keeps picking it up you should be ok.

I never found out where it was originating form. My only GUESS was that some spammer was trying to relay off the server because I had NAVMSE as well. ???????

It should go away after a week. If you ever do find out why that keeps poping up, post it because that bothered me for weeks.
 
Upvote 0 Downvote
Becareful, I have seen this too.

But I also am having a problem now where if I reboot the server, I send out a ton of duplicate emails!

If you have ideas, I'd sure love some.
 
Upvote 0 Downvote
Here is what I've figured out so far.
1. If you stop the IMS service, the virus stops.
2. For some reason when I stop the service set it to manual start, then reboot. Then go start the service the virus sometimes comes back and sometimes it don't.
3. I have found out were it is coming from but I contacted them and they said that they have a AV in place and nothing is popping up on their end so it must be on my end. ugh :(
4. I have followed norton's and others way of removing this virus but I have not found any evidence that it is on my server. (Looked in reg and sys for files etc..) I'm guessing that this is the temp dir before exchange can decide were to send it. I have a theory but thats it.
Theory is that exchange copies the e-mail to this dir before actually deciding were to send it. So before exchange can decide were to send it, norton's system AV grabs the virus. The exchange AV never sees it. Just a theory though. Is this a temp dir for incoming e-mail?
 
Upvote 0 Downvote
I have been having this problem for a couple of weeks now. NAV detects the Yaha virus several times a day and quarantines the virus while restricting access. I have no idea how or why this is being generated. I am starting to think that this is a very serious situation. I offer the following link for each of your to read and comment on. This is not to alarm anyone, but just the same.





Yomang
 
Upvote 0 Downvote
Here is what I found on that dir.

Exchange Server's IMS messaging connector lets users transfer messages using Simple Mail Transfer Protocol (SMTP). The IMS receives outbound messages from the Information Store and converts them and their attachments into either MIME or UUENCODE format before scheduling delivery. SMTP uses these two formats, and Exchange has the flexibility to define them on a per-domain basis. You can view both inbound and outbound data files in the \EXCHSRVR\IMCDATA\IN and \EXCHSRVR\IMCDATA \OUT folders. These folders function as a temporary storage area for the messages.

and this off a microsoft site.

There are four queues for the Internet Mail Service. Outbound messages travel from the MTA's Internet Mail Service queue (Exchsrvr\Imcdata\Out) to the Internet Mail Service's MTS-OUT queue in the information store. The Internet Mail Service converts the messages and places them in the Out queue until they are sent. The Internet Mail Service places messages received from the Internet in its In queue (Exchsrvr\Imcdata\In). The messages are then converted by the Internet Mail Service and moved to the MTS-IN queue in the information store

Now the question is how do I stop it. I'm up to over 8000 hits with the sobig virus and have no idea how to stop it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PoorMens_Bravo
  • Locked
  • Question
452 4.3.1 Insufficient system resources (UsedVersionBuckets[F:\Exchsrvr\TransportRoles\data\Queue\ma
Replies
1
Views
1K
sircles
sircles
T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
1K
DrB0b
DrB0b
microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
2K
microsGuy16
microsGuy16
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove "✉" icon when it appears in a subject title from a supplier
Replies
0
Views
1K
Brent Fletcher
Brent Fletcher
DrB0b
  • Locked
  • Question
Moved to 365 in cloud, cannot get iPhones default mail app to connect
Replies
2
Views
1K
Priyanka_Chauhan
Priyanka_Chauhan

Part and Inventory Search

Sponsor

Back
Top