Using Exmerge as a Virus Cleanup Tool

Microsoft designed Exmerge to do more than just delete infected email messages. Exmerge’s original purposes were to let Exchange administrators copy, move, or merge data from one Exchange database to another and to fix corrupted databases. A side effect of this functionality is that the tool also lets you move (i.e., archive) messages from a current server into a Personal Store (.pst) file, which has the same effect as deleting the messages. Tell Exmerge to archive only infected messages (matching a common criterion such as file attachment name), and the tool will remove all email worm messages. Then, you can delete the massive .pst files the archive process creates. Be aware that you’ll need gigabytes of free space to run Exmerge on most servers, and Exmerge can delete infected email messages in all server-side mailboxes (e.g., Inbox, Deleted, Outbox) at once. To use the pre-2000 version of Exmerge, follow these steps:

1. In Exchange 5.5 or earlier, use the Exchange Service account to log on to the Exchange server.
2. Create a folder called Exmerge on the server, then extract the Exmerge files (i.e., exmerge.exe, exmerge.ini, and mfc42.dll) to that folder.
3. If you disabled Exchange’s Information Store, enable it again.
4. Run exmerge.exe, then click Next to start the Microsoft Exchange Mailbox Merge Wizard.
5. In the wizard’s first dialog box, select the Two step merge option.
6. In the next dialog box, select the Step 1: Copy data to Personal Folders option, then click Next.
7. Type the name of the Exchange server in the Microsoft Exchange Server Name text box. Click Options.
8. In the Data Selection Criteria dialog box, which Figure A shows, click the Data tab, then select the check box beside the content that you want to delete (e.g., User messages and folders). Click Apply.
9. Click the Import Procedure tab, then select the Archive data to target store option. This step is important because it moves the infected messages to a destination .pst file and deletes the original message from the source mailboxes. A message will warn you about the pending operation; click Yes. Click Apply.
10. Click the Message Details tab. In the Enter new message subject and Enter new attachment name text boxes, which Figure B shows, type some unique identifying information that will target only infected messages. Click Add, click Apply, then click OK.
11. Click the Dates tab, then type a specific range of dates. If the attack just occurred, I usually choose just one day.
12. Click Select All, then click Next to run Exmerge. My scans usually take between 5 minutes and 60 minutes per hundred users.
13. When Exmerge is finished, check a previously infected Outlook client to make sure that all infected email messages are gone. Delete the Exmerge-created .pst files only after you’re sure that you didn’t accidentally delete any uninfected email messages.