*************************************************************************                                
*        STEP BY STEP PROCESS TO CLEAN THE ILOVEYOU VIRUS               *
*************************************************************************

The following document will outline the steps required to clean the ILOVEYOU Virus from the IMCDATA, MTADATA and the Exchange Information Stores.

NOTE: This process can also be used to clean your environment for other variants of this type of virus (I.E., VeryFunny.vbs):
1) Modify the string used to search the IMC to be the subject of the message for the new variant
2) Modify the MTACLEAN batch file to search for the binary equivalent of the subject line of the message for the new variant
	a. This can be determined by using a hex converter program to convert the subject line to hexadecimal format
	b. A sample progrqam called Ascii2Hex.exe (for Intel only) is included in the zip file
3) Modify the criteria file for the ISSCAN. For information on this see: 
Q224493 XADM: Using ISSCAN to Remove Virus-Affected Messages/Attachments
http://support.microsoft.com/support/kb/articles/Q224/4/93.ASP?LN=EN-US&SD=gn&FR=0
4) To use ExMerge for one of these variants refer to the detailed documentation located in the <<ExtractDir>>\ExMerge\  directory for using the ExMerge program.


--------------------------------------------------------------------------------------------------------
Issues to be aware of:
Please be aware that the following process will only clean the virus from the Local Exchange Server, as soon as you allow mail to flow back into the server it is possible to re-infect this server.  Please be aware of the potential of re-infestation by starting the MTA and the IMS services. To prevent further problems you will need to utilize an anti-virus solution. This process detailed below simply removes the virus if you are currently infected, it does not prevent the same from reoccurring.
--------------------------------------------------------------------------------------------------------

Process Scope:
1. Download Virus package from the FTP Server and Extract the Files.
2. Clean the MTADATA directory
3. Clean the IMCDATA directory
4. Clean the Private and Public Information Store. 


Step 1.  Download the Virus package from the FTP Server
=======================================================

1. Connect to ftp://ftp.microsoft.com/transfer/outgoing/bussys/mail/ILOVEYOUHLPA.zip for ALPHA binaries.
2. Connect to ftp://ftp.microsoft.com/transfer/outgoing/bussys/mail/ILOVEYOUHLPI.zip for INTEL binaries.
3. Extract the downloaded files on your local Hard Disk. This directory will be referred to as <<ExtractDir>>

Contents of the ILOVEYOUHLPA.ZIP 
================================
-ILOVEYOUReadmeFirst.txt	\
-ATTACHMENTS.TXT		ExMerge\
-EXMERGE.doc			ExMerge\
-ExMerge.exe			ExMerge\
-EXMERGE.INI			ExMerge\
-mfc42.dll			ExMerge\
-SUBJECTS.TXT			ExMerge\
-gwclean.exe			imc\
-MSVCRTD.DLL			imc\
-ProfInst.exe			imc\
-resetimc.cmd			imc\
-Isintegfixpri.bat		ISSCAN-postsp3\
-Isintegfixpub.bat		ISSCAN-postsp3\
-Isscanfixpri.bat		ISSCAN-postsp3\
-Isscanfixpub.bat		ISSCAN-postsp3\
-Lovecrit.txt			ISSCAN-postsp3\
-ISSCAN.EXE			ISSCAN-postsp3\
-Isintegfixpri.bat		ISSCAN-presp3\
-Isintegfixpub.bat		ISSCAN-presp3\
-Isscan.exe			ISSCAN-presp3\
-Isscanfixpri.bat		ISSCAN-presp3\
-Isscanfixpub.bat		ISSCAN-presp3\
-Lovecrit.txt			ISSCAN-presp3\
-FindBin.exe			mta\
-Mtaclean.bat			mta\
-Ascii2Hex.exe			mta\

Contents of the ILOVEYOUHLPI.ZIP
================================
-ILOVEYOUReadmeFirst.txt	\
-ATTACHMENTS.TXT		ExMerge\
-EXMERGE.doc			ExMerge\
-ExMerge.exe			ExMerge\
-EXMERGE.INI			ExMerge\
-mfc42.dll			ExMerge\
-SUBJECTS.TXT			ExMerge\
-gwclean.exe			imc\
-MSVCRTD.DLL			imc\
-ProfInst.exe			imc\
-resetimc.cmd			imc\
-Isintegfixpri.bat		ISSCAN-postsp3\
-Isintegfixpub.bat		ISSCAN-postsp3\
-Isscanfixpri.bat		ISSCAN-postsp3\
-Isscanfixpub.bat		ISSCAN-postsp3\
-Lovecrit.txt                 	ISSCAN-postsp3\
-ISSCAN.EXE			ISSCAN-postsp3\
-Isintegfixpri.bat		ISSCAN-presp3\
-Isintegfixpub.bat		ISSCAN-presp3\
-Isscan.exe			ISSCAN-presp3\
-Isscanfixpri.bat		ISSCAN-presp3\
-Isscanfixpub.bat		ISSCAN-presp3\
-Lovecrit.txt			ISSCAN-presp3\
-FindBin.exe			mta\
-Mtaclean.bat			mta\
-Ascii2Hex.exe			mta\


Step 2.  Clean the MTADATA directory
====================================

Description:
These steps are intended to clean up the Microsoft Message Transfer Agent (MTA) ONLY from all files containing ILOVEYOU on the subject line.

Summary
=======
All infected *.dat files will be moved to the \\exchsrvr\mtadata\ILOVEYOU directory.  You will need to keep the MTA STOPPED until you are confident that no other MTAs will transfer the virus back to this server, or have an adequate virus solution in place.  This process can be repeated multiple times if needed.  Note: the \\exchsrvr\mtadata\ILOVEYOU directory may be deleted, if desired.
 
Steps:

1. Copy the contents of the <<ExtractDir>>\MTA directory to the \exchsrvr\mtadata directory
2. Run the MTACLEAN.bat


Step 3. Clean the IMCDATA directory
=================================== 

How to Clean the Internet Mail Connector of the "ILoveYou" Virus

Scope: 

1. Actions that need to be taken before cleaning the IMS / IMC
2. Understanding the different locations of the Internet Mail Connector
3. Cleaning the Internet Mail Connector

Steps to Be Taken Before Cleaning the Internet Mail Connector
------------------------------------------------------------- 

1. Immediately stop the Internet Mail Connector to avoid spreading the virus
2. Verify the location of the working IMCDATA directory.  This directory may exist on multiple drives.  Only one is the working directory.  To discern which one is the working one:
a. Run Regedit and navigate to the HKEY_LOCAL_MACHINE\ SYSTEM \CurrentControlSet\ Services\ MSExchangeIMC\ Parameters
b. Make note of the RootDir value
3. We strongly recommend backing up the Information Store 

Understanding the Internet Mail Connectors Queue Structure
----------------------------------------------------------

Messages are stored in six locations in the Internet Mail Connector:

1. <Root Dir - specified in the Registry>\Exchsrvr\Imcdata\out
2. <Root Dir - specified in the Registry>\Exchsrvr\Imcdata\in
3. <Root Dir  -specified in the Registry>\ Exchsrvr\Imcdata\in\Archive (Location for incoming message archival)
4. <Root Dir - specified in the Registry>\Exchsrvr\Imcdata\out\Archive (Location for outgoing message archival)
5. An outgoing "Mailbox" folder inside of the Information Store (MTS-OUT)
6. An Incoming "Mailbox" folder inside of the Information Store (MTS-IN)

Cleaning the Internet Mail Connector
------------------------------------

We will refer to the above queue areas of the Internet Mail Connector as Area's 1-6.
Area 1 \IMCDATA\OUT, Area 2 \IMCDATA\IN. Area 3 IMCDATA\In\Archive, Area 4 IMCDATA\Out\Archive

Cleaning Areas 1 - 4
1. Be sure that the Microsoft Exchange Internet Mail Connector is STOPPED
2. RENAME the \ EXCHSRVR \ IMCDATA \ QUEUE.DAT to QUEUE.OLD 
3. CREATE a temporary folder (directory) in the IMCDATA folder called "Infected"
4. Secondary CLICK (Right Click) on the IMCDATA Folder (This is the parent folder of areas 1 and 2)
a. CLICK on "Find..." in the popup box
b. You should see that the "Look in:" is pointed to "\EXCHSRVR\IMCDATA"
c. CHOOSE the Advanced Tab
d. In the Containing Text field, TYPE  "Iloveyou"  (without the quotes)
e. CLICK on "Find now"
f. MOVE (Not Copy) the contents of found files to the "Infected" directory you created in step 3
5. This will remove any files that contain the virus to an unused directory that you can review and delete infected files.  These files are messages that have ASCII headers but contain encoded information. At this point Areas 1 - 4 of the connector are clean.

If you choose to use a method to clean the virus other than ISSCAN, such as ExMerge, then you will also need to perform the following steps:

Cleaning Areas 5 and 6  (The Internet Mail Connector's MTS-OUT and MTS-IN)
1. To clean these areas, copy the contents of the <<ExtractDir>>\imc directory to exchsrvr\bin directory
2. Run resetimc.cmd
3. The utility will copy the contents of MTS-IN and MTS-OUT into mts-in.pst and mts-out.pst, respectively

Step 4.  Cleaning the Information Store
=======================================
It is important to understand that the following procedure requires the Exchange Information Store to be stopped.  If this is not an option, you may use the ExMerge program.  Please see the section below for ramifications on using ExMerge and ISSCAN.

Note: When running ISSCAN if you receive an ec_Bad_Version error message please simply run the other version of ISSCAN.

ISSCAN Methods
==============

These methods assume you are using Exchange 5.5. If you are using a version other than this please see the following article for instructions:

Q224493 XADM: Using ISSCAN to Remove Virus-Affected Messages/Attachments
http://support.microsoft.com/support/kb/articles/Q224/4/93.ASP?LN=EN-US&SD=gn&FR=0

The procedures are the same as the instructions for the Exchange 5.5 pre-Sp3 instructions. The only difference is that you must use the Exchange 5.0 version of ISSCAN. The link to this version is inside the above-mentioned Q article. 

For Exchange Servers with a POST 5.5 SP3 Store (Version 2651.23 or higher)
--------------------------------------------------------------------------

Steps: 
1. Copy the contents of the <<ExtractDir>>\ ISSCAN-postsp3\ to the Exchsrvr\Bin directory
2. Stop Information Store
3. Browse to the Exchsrvr\BIN Directory
4. Run ISSCANFIXPRI.BAT for the private store
5. Run ISSCANFIXPUB.BAT for the public store
6. Run ISINTEGFIXPRI.BAT for the private store
7. Run ISINTEGFIXPUB.BAT for the public store

For Exchange Servers with a PRE 5.5 Sp3 Store (Store.exe version BEFORE 2651.23)
--------------------------------------------------------------------------------

Steps: 
1. Copy the contents of the <<ExtractDir>>\ ISSCAN-presp3\ to the Exchsrvr\Bin directory
2. Stop Information Store
3. Browse to the Exchsrvr\BIN Directory
4. Run ISSCANFIXPRI.BAT for the private store
5. Run ISSCANFIXPUB.BAT for the public store
6. Run ISINTEGFIXPRI.BAT for the private store
7. Run ISINTEGFIXPUB.BAT for the public store

Summary
=======
The ISSCAN process will report the number of attachments that were removed.  At this time the Information Store will have all the LOVE-LETTER-FOR-YOU.TXT.vbs attachments removed from both the Private and Public Information stores. However, when the client logs into their mailbox they will still see the message that once contained the virus. Although, the virus, I.E., the attachment, has been deleted.


Scanning the Information store using ExMerge
=============================================

Refer to the detailed documentation located in the <<ExtractDir>>\ExMerge\ directory for using the ExMerge program.


Further information located in this doc
=======================================
- Ramifications of ISSCAN
- Exmerge runs while store is active, so infection can still spread
- Client instructions - details on how the payload actually affects the client workstation
- Helpful links to anti-virus vendors and third parties regarding the virus
- Summary of Q224493 Using ISSCAN to Remove Virus-Affected Messages/Attachments
- Summary of Q246916 How to Find Mailboxes That Contain a Specific Message.

********************************************************************************
THE FOLLOWING SECTION IS FOR REFERENCE ONLY
********************************************************************************

Ramifications of ISSCAN
=======================
The changes made by ISSCAN actually removes the attachment, without updating the link in the message.  While this does not adversely affect store operation, it causes unnecessary errors on the client trying to open these messages.

Due to the nature of the changes made to the database, it is necessary to run an ISINTEG to correct inconsistencies* in the Information Store.  The test required is the message test, thus the command line would be:

	ISINTEG -fix [-pri|-pub] -detailed -verbose -l c:\isinteg.rpt -test message
	
As with all database utilities, it is recommended that you run the ISSCAN in scan or report mode, prior to running the utility in fix mode to repair the database.
 
Further details concerning ISSCAN can be found accompanying the file.


Concerning the sample ExMerge.ini
=================================
In order to successfully use the ExMerge.ini, a particular command line must be used:
	ExMerge -d -b exmerge.ini -srcserv SERVERNAME

Replace SERVERNAME with the server against which to run ExMerge.
This command line can be placed in a batch file to smooth execution.

There are several caveats with the supplied ini file.  If any of these settings are inappropriate for your site, they will need to be changed:
- There are hard coded locations for the archived data, currently this is in c:\ ExMerge. Please insure there is enough room for the archived data in this location.
- The ini file assumes that subject.txt and attachments.txt are located in the c:\ExMerge directory.


Concerning running ExMerge interactively
========================================
Insure that you have selected the "Archive Data" radio button on the "Import Procedure" tab, then enter the appropriate information on the "Message Details" tab.


ExMerge runs while store is active and infection may continue to spread
=======================================================================
Since ExMerge runs while the store is actively processing mail, it is possible to clean a mailbox and re-infect it only seconds later.  This means that ExMerge will need to be run several times to successfully disinfect a store. 

PLEASE NOTE: This process may take considerably longer than the ISSCAN Utility. 

Since all of these deletions are transactions, awareness of free space on the transaction log drive must be maintained.

Client Ramifications
====================
After analysis of the vbscript, anyone who has run the script that came with the ILOVEYOU email may have their workstation affected in the following manner:

1. The virus will copy the following files to your hard drive:

LOVE-LETTER-FOR-YOU.HTM
LOVE-LETTER-FOR-YOU.TXT.vbs

* The files above can be located on more than one folder *

3. The virus makes use of the following two scripts:
win32dll.vbs
mskernel32.vbs
(Located in your system32 directory)

4. In addition the virus affects the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

The registry entries above change the start page for your browser, and the next time you start it, it will access a URL and will download another virus directly to your machine, unless your start page is first modified!

Once all the above steps have been completed you have succesfully eradicated the virus from your server. However, realize that this does not protect you from future attacks. The use of an anti-virus product is imperative for this prevention.


Helpful Links
=============
Additional Links for Virus information
http://www.cert.org/
http://www.symantec.com/
http://www.nai.com/
http://www.cheyenne.com/
http://datafellows.com


Microsoft Knowledge Base Article Summaries
==========================================

XADM: Using ISSCAN to Remove Virus-Affected Messages/Attachments
ID: Q224493    

XADM: How to Find Mailboxes That Contain a Specific Message
ID: Q246916    

XADM: Microsoft Exchange Mailbox Merge Program (Exmerge.exe) Information
ID: Q174197