Worm:Win32/VB.WF Updates: How to block on FPE or Antigen 9.2, FSE?

Here's some updated information regarding Worm:Win32/Visal.B, known as the "Here you have" worm (with a SHA1, a unique identifier for the threat, of 0x0BA8387FAAF158379712F453A16596D2D1C9CFDC). Although it's known for the "Here you have" subject, it can also use two others ("Just for you" and "Hi").If you're using Cloudmark antispam engine in Forefront Protection 2010 for Exchange […]

Here's some updated information regarding Worm:Win32/Visal.B, known as the "Here you have" worm (with a SHA1, a unique identifier for the threat, of 0x0BA8387FAAF158379712F453A16596D2D1C9CFDC). Although it's known for the "Here you have" subject, it can also use two others ("Just for you" and "Hi").

If you're using Cloudmark antispam engine in Forefront Protection 2010 for Exchange Server (FPE) or Antigen 9.2 with up-to-date defs, your environment should be protected. If you're using Forefront Security for Exchange Server (FSE) or aren't using antispam features in FPE or Antigen, you can block these virus e-mails in several ways:

  1. During Transport scan (Messages in Transport):
    • Subject line filtering on FPE (FSE doesn't provide subject line filtering on Transport Scan Job. This also assumes the messages don't contain an AV stamp.) The subject line of e-mail is typically "Here you have". You should create a subject line filter to block/delete messages using this subject line.
    • Exchange Transport rules. You can use Exchange transport rules to block messages based on their subject line.
  2. During Mailbox scan (Messages in transit at Store level via Realtime scan job as well as cleaning up what's already in Store via Scheduled scan job.)
    • Use FPE and/or FSE Realtime and Scheduled Scan subject line filters.
    • Use Exchange PowerShell command: Get-TransportServer | Get-Queue | get-message | where{$_.MessageSubject -eq "Here you have"} | remove-message

    More Info: Using subject line filtering to stop this worm