Microsoft KB Archive/311443

= XADM: Using Findbin.exe to Find Viruses in the MTA =

Article ID: 311443

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft Exchange Server 4.0 Standard Edition
 * Microsoft Exchange Server 5.0 Standard Edition
 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q311443



SUMMARY
This article describes how to use the Findbin.exe program to find viruses in the message transfer agent (MTA).



MORE INFORMATION
You can use Findbin.exe to crawl Exchange Server message transfer agent (MTA) .dat files. Findbin.exe is primarily used to extract messages that may contain a virus.

In most cases, a batch file is created for the most common types of e-mail virus (such as ExplorerZipWorm, ILOVEYOU, or Melissa). If a batch file is not created for a virus, Findbin.exe requires the following syntax (where  is the name of the attachment that the virus uses converted to hexadecimal,   are the files that you want to look for, and   is the folder that you want to move the files to):

findbin.exe [ ] [ ] [ ]

For example, if the virus always uses an attachment that is named Badvirus.vbs, convert the name Badvirus.vbs to hexadecimal to use as the. Badvirus.vbs is 62616476697275732E766273 in hexadecimal. The files that you want to look for in  are usually db*.dat, which are the MTA .dat files. For, choose a subfolder of the Mtadata folder that you want to move the files to, such as the Virus folder. Therefore, the command line to find Badvirus.vbs in your MTA .dat files and move those files to the Virus subfolder is the following:

findbin.exe 62616476697275732E766273 db*.dat VIRUS

Cleaning Up a Worm Virus Attack from the Mtadata Folder
 Identify your MTA's database folder. Inspect the server's registry for the MTA database path value in the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeMTA\Parameters\

 Copy Findbin.exe to the Mtadata folder that you identified in step 1. Stop the MTA and any dependent services. Create a subfolder of the Mtadata folder named Virus. From an MS-DOS prompt or a command prompt window, run Findbin with the correct syntax. It may take some time to process all of the files. When the cursor returns to the MS-DOS prompt window, the files have all been processed. Any files that contain the string that you specified are moved to the Virus folder, and you can safely delete those files at your discretion. Run Mtacheck. If you do not encounter any problems, skip to step 8. If you do encounter problems when you run Mtacheck, proceed to step 7. If you encounter any problems when you run Mtacheck, copy the files from Db000002.dat through Db000026.dat from the Server\Setup\ \Bootenv folder of your Exchange Server CD-ROM to the Mtadata folder that you identified in step 1. After you copy the files, you need to remove the Read Only attribute from the copied files or you will not be able to successfully run Mtacheck or start the MTA.

IMPORTANT: Do not overwrite the Db000001.dat file.</li> Restart the MTA.</li> Repeat steps 1 through 7 again if you encounter another significant backlog on the MTA because of virus mail.</li></ol>

Additional query words: VIRUS FINDBIN MTA MTADATA

Keywords: kbfaq kbhowto KB311443

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.