Using Transport Rules to protect your organization from the ‘Here You Have’ Worm

by Bharat Suneja

The Here You Have worm, also known as Visal.B, has been spreading through network shares and email (more details on Microsoft’s Malware Protection Center web site). When spreading through email, the worm sends itself to your contacts with the following strings in the Subject field and message body:

  • Subject: Here you have

    Body:
    Hello:

    This is The Document I told you about,you can find it Here.
    http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

    Please check it and reply as soon as possible.

    Cheers,

  • Subject: Just for you

    Body:
    Hello:

    This is The Document I told you about,you can find it Here.
    http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

    Please check it and reply as soon as possible.

    Cheers,

  • Subject: hi

    Body:
    Hello:

    This is The Free Dowload Sex Movies,you can find it Here.
    http://www.sharemovies.com/library/SEX21.025542010.wmv

    Enjoy Your Time.

    Cheers,

In Exchange Server 2010/2007, you can use Transport Rules to quickly and easily prevent such malware from spreading by email. Transport Rule Predicates (or Conditions in the Transport Rule wizard) and Actions are the building blocks of a transport rule. You can use rule conditions to inspect the content of different parts of a message such as message headers, sender/recipients, message subject, and message body. In Exchange 2010, the Transport Rules agent can also inspect attachment content.

A list of predicates and actions in Transport Rule Predicates and Transport Rule Actions.

Creating the Transport Rule

You can use the New Transport Rule wizard in the EMC or the New-TransportRule cmdlet (Cmdet reference: Exchange 2010 | Exchange 2007) from the Shell (EMS) to create transport rules.

To prevent messages that match the message subject or body of the above examples, use the when the Subject field or message body contains specific words predicate (or SubjectOrBodyContains when using the Shell) to inspect message subject and body. Alternatively, you can also use predicates that match only the Subject field (when the Subject field contains specific words in the EMC, or SubjectContains in the Shell), and predicates that use regular expressions to match the content of these fields.

To delete messages matching the condition, use the Delete the message without notifying anyone action (DeleteMessage in the Shell).

Test transport rules, particularly rules that take actions such as deleting messages, in a non-production environment before applying them in a production environment. IMPORTANT: transport rules without any conditions specified apply to all messages

Create the transport rule using the EMC

  1. Go to Organization Configuration > Hub Transport > Transport Rules tab > click New Transport Rule
  2. On the Introduction page, type a name and optionally a description for the rule.
  3. On the Conditions page, select the when the Subject field or message body contains specific words condition [see screenshot]
  4. In the rule description, click specific words and enter the strings found in the ‘Here You Have’ messages [see screenshot]:
  5. On the Actions page, select the Delete message without notifying anyone action.
  6. On the Exceptions page, select any exception predicates. No exceptions are used in this example because the strings used in the SubjectOrBodyContains predicate are very specific to the ‘Here You Have’ worm and unlikely to occur in normal messages exchanged by your recipients.


Figure 1: A transport rule to inspect message subject and body for specified strings can help you protect your organization from the ‘Here You Are’ worm and other similar threats

More in Create a Transport Rule in Exchange 2010 documentation.

Create the transport rule using the Shell

This command creates a transport rule to delete messages which have any of the following strings in the message subject or body:

New-TransportRule “Delete Here You Have” -Priority 0 -SubjectOrBodyContains “Here you have”,”Just for you”, “http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf”, “http://www.sharemovies.com/library/SEX21.025542010.wmv” -DeleteMessage $true

Transport Rules contain a large number of predicates and actions to allow you to apply your organization’s messaging policies and also protect your organization from harmful content. You can use them as an additional layer of protection, besides the Exchange-specific antivirus/antispam software you likely run on your Exchange 2010/2007 Transport and Mailbox servers.

More importantly, Transport Rules can be an important part of your defense against malware in the wild which can go undetected by your antivirus software until a signature has been created by the antivirus software vendor and downloaded to your servers.

{ 6 comments… read them below or add one }

willi September 13, 2010 at 1:05 am

I don’t think this makes sense to delete massages if they contain strings “Here you have” or “Just for you” in a subject. From my point of view this strings are pretty common in regular mails. I thing you should only match to the problematic URL in the body.

Reply

Bharat Suneja September 13, 2010 at 8:09 pm

These are examples. You should use what works best for your organization. If all emails contain the specific URLs shown in above example (as noted in the MSRC link), the URLs should suffice.

Reply

ST October 12, 2010 at 11:19 am

I agree with Willi. These examples are poor and aren’t even worth a blog post. If you’re going to create an example, at least do it credibly and with some intelligence.

Reply

Avinash Sharma September 20, 2012 at 9:57 pm

Hi Bharat, Is it possible to create a rule to scan the content of a attachment ??

Reply

Bharat Suneja September 21, 2012 at 12:59 am

Yes, using transport rules you can scan content in supported attachments. Use either of the following predicates:
1. AttachmentContainsWords
2. AttachmentMatchesPatterns

See Transport Rule Predicates for details.

Reply

Georsad February 15, 2016 at 9:58 am

Hi All, I’ve reviewed this post, but I only have one doubt regarding with this.

If I configure a Transport Rule to block some email based on the content of subject or body,
eg: I wanted to block the following word: “artic” so I expect that someone that send me an email containig the following: “I send you this article” I expect that Exchange let this pass, but it seems that Exchange is blocking the email because contain the Word “article” that match with the Word “artic” that is configured in the Transport rule, is this correct or a normal behaviour?

How is the correct way to configure Exchange in order that the only mail that Exchange allow, was only those that have the Word “artic” and let pass the “I send you this article”, because is a different Word, artic not the same as article.

Hope that you guys could bring me some light on this.

Regards.

Reply

Cancel reply

Leave a Comment

Previous post:

Next post: