Compromised MailEnable installation may be infected with Trojan Service


SYMPTOMS

  • Web mail keeps prompting for Windows authentication, IME passwords being lost and/or SMTP service running slowly and mail backing up
  • When accessing web mail in a browser you are prompted for Windows authentication credentials.  The anonymous user (IME_USER) (IME_ADMIN) do not have permission to access the web mail folders. 
  • After running MEInstaller.exe (Start->Run->MEInstaller.exe) and executing option number 2 and/or 3 web mail starts to work but after an undetermined amount of time the passwords are lost and again the Windows passwords are required.
  • In the Event logs you have an error similar to the following:

The MailEnable SMTP Relay Service service terminated unexpectedly. It has done this XXXXX time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.

  • The SMTP service is running slowly and mail in outbound queues is being processed very slowly.

CAUSE

The service mentioned above from the event log is a virus Trojan that names itself as the "MailEnable SMTP Relay Service" (trying to pose as a MailEnable service). 

If you have Norton (and possibly another AV solutions) it should pick up the virus as rdriv.sys, the virus appears to use a caching kit to conceal it's location.

The service tries to send mail out of the server this has the effect of slowing down mail throughput and utilizes higher than normal CPU making the queues backup on high volume servers.  It also removes some permissions on the MailEnable IME_ADMIN and IME_USER accounts or changes/removes the passwords, the effect of this is the web mail web sites stop working.

SOLUTION
If you have not patched your server with current hotfixes, then it is possible that someone has exploited an unpatched version of the SMTP connector. (MailEnable sends out notifications of patches through the update list on the MailEnable home page, the rss feed, etc. 
 
 
You should upgrade to the current release as soon as possible.
 
To remove the virus please follow these directions supplied by HiVelocity Hosting;
 
First thing you should do is go to Administrative Tools and then Services. Scroll down and find MailEnable's services and look for the one called \"MailEnable SMTP Relay Service\". (If you don't have it, you are probably not infected by this virus).  If you do have it, right click on it, go to Properties and choose Disabled as the Startup option. [Click OK] 
 
Open Task Manager. Find the service called "mesmtpsvc.exe", right click on it and End Process.
 
Then open Windows Explorer and navigate to C:\WINDOWS\System32. Look for the following files:
a.exe
bot.exe
bw.exe
gethashes.exe
getsyskey.exe
nc.exe
rdriv.sys
start.bat
 
Delete them by selecting the files, holding down the Shift key and pressing the Delete button on your keyboard.
 
Then go to C:\WINDOWS and make sure "mesmtpsvc.exe" is not present - if it is, delete it. Open up Windows Registry (Start -> Run -> regedit).
 
Go to Edit -> Search for rdriv.sys and then for start.bat. Make sure to remove any and all references to these two from the Registry.
 
Download the latest version of MailEnable from http://www.mailenable.com/download.asp and just run the installer as if you would with any Windows application. Don't change any of the settings, leave it as-is. Reboot the server and double check if those .exe files are present again. If you did not remove start.bat, you are likely to get infected again
 
Product:MailEnable (All Versions)
Category:Environment
Article:ME020475
Module:General
Keywords:IME_ADMIN,IME_USER,web,mail,webmail,password,authentication,windows,SMTP,slow
Class:INF: Product Information
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable

Follow Us

Twitter RSS LinkedIn FaceBook
© 2023 MailEnable