Exploit-MIME.gen.c on Exchange Server

[jcneil1]

We run Exchange 2000 on Windows 2000 Server. Groupshield 6.0 and VirusScan Enterprise 7.1 also run on this server. I get several daily virus alerts from this server looking like this:

[The file C:\WINNT\Temp\MMMB6D8.tmp is infected with the Exploit-MIME.gen.c Program. Undetermined clean error, quarantine failed. Detected using Scan engine version 4.3.20 DAT version 4381.(from XXXX IP 192.168.1.3 user NT AUTHORITY\SYSTEM running VirusScan EntSv 7.1.0 OAS)]

The file names change. I have run full scans on the server and come up clean... is this a worm? Is the winnt\temp folder where GroupShield is placing temp files and VSE is snatching them up? The NAI kbase talks about the MIME exploit from HTML email- but we never read email on this server. Any ideas?

 

[bfralia]

It sounds like some other computer on the network is infected and putting the file out there. Normally incoming e-mail comes into an exchsrvr folder about 12 levels down with an *.eml extention.

Under normal situations that folder is excluded from being scannned but our company has chosen to prescan rather than get all the questions from confused users about what the message means.

It's apparently has some sort of mime header in the file for that virus to be detected.