A massive Virus attack was launched yesterday ( Saturday February 24, 2007 ) that is affecting older versions of the MailEnable mail server. This server comes installed with Plesk for Windows. If you are not running Plesk on Windows then this likely will not affect you. The specific Mail Enable versions affected are prior versions to: Standard - 1.981, Professional - 2.37, and Enterprise - 2.37. If you are running any of these current versions you may not have been infected.
The most definitive way to determine if you are infected with the Virus is open Start -> Control Panels -> Administrative Tools -> Services and search for a service called "MailEnable SMTP Relay Service". If you do not have this service running you are likely not infected.
Here are the steps to resolve the virus:
1. Right Click the "MailEnable SMTP Relay Service" and select Stop. Right click the service again and select properties. In the properties windows, select startup type: disabled and then click apply and ok. Close the services window.
2. Right click on the Windows taskbar, select Task Manager. Select the processes tab and find the service called "mesmtpsvc.exe", right click on it and select "End Process Tree".
3. Navigate to C:\windows\System32 and ook for any of the files: a.exe bot.exe bw.exe gethashes.exe getsyskey.exe nc.exe rdriv.sys start.bat. Delete any of these files you find by highlighting them and holding down shift + delete. A dialogue box will ask you to confirm deletion. BE CAREFUL NOT TO DELETE ANY OTHER FILES!
4. If the "mesmtpsvc.exe" process was running in the task manager in step 2, navigate to c:\windows and delete the file "mesmtpsvc.exe" if found.
5. run: regedit -> navigate to HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Services and look for a service called "rdriv.sys". Delete any instance of this.
6. Do a registry search for "rdriv.sys" and "start.bat" and delete any instance. PLEASE BE WARNED! WE DO NOT TAKE ANY RESPONSIBILITY FOR ANMY ISSUES CAUSED BY CUSTOMERS EDITING THE REGISTRY. PLEASE BE CAREFUL!
7. Download the ME Standard Latest Version (
http://www.mailenable.com/download.asp ) and install ( click Yes to allow it to reset permissions on the store ) - Reboot
8. Download and apply the latest ME hotfix (
http://www.mailenable.com/hotfix/default.asp ) - Reboot
9. Navigate to c:\windows\system32 and remove rdriv.sys if found
10. run: gpedit.msc -> Open Computer Configuration -> Windows Settings -> Security -> Local Policies -> User Rights
11. Double click "Access this computer from the network" and make sure the following users/groups are added:
Group: Administrators
Group: Users
Group: Everyone
User: IUSR_TEMPLATE
User: IWAM_TEMPLATE
User: psacln
In order to add groups, you must select object types and enable searching in the groups type.
12. Start Windows Firewall.
12A. If the you cannot manage the firewall from the control panel applet
12A-1. run: gpedit.msc
12A-2. Navigate to Computer Configuration -> Administrative Templates -> System -> Network -> Network Connections -> Standard Profile
12A-3. Under the setting, "Windows Firewall: Protect All Network Connections", double click and set to enabled, press apply, press ok
12A-4. Under the setting, "Windows Firewall: Protect All Network Connections", double click and set to not configured, press apply, press ok
12A-5. You should now be able to manage the status of the Windows Firewall from the control panel applet
13. Assuming the Windows Firewall is on, save the file (
http://www.solarvps.com/winfirewall.txt ) on the desktop. Change the file name to "firewall.cmd"
14. Run the firewall.cmd file which will enable a standard firewall ruleset.
15. Verify that rdriv.sys is no longer found in c:\windows\system32 on the VPS
16. Verify that web sites can be viewed without the login prompt.