XADM: The Nimda Virus May Infect the Files in Log Folders on New Exchange 2000 Virtual Servers in a Cluster

When you create new virtual servers for Exchange 2000 Server when it is running on a cluster, log files for the Exchange 2000 virtual servers might be infected by viruses that may spread to network shares, such as the Nimda virus.

This problem can occur because when you create a new Exchange 2000 virtual server in a cluster under Microsoft Windows 2000, a log folder is created on the shared cluster disk resource that is assigned to the new Exchange 2000 virtual server. This log folder is created under the Exchsrvr folder and has a folder name of virtual_server_name.log, where virtual_server_name is the name that you gave the new Exchange 2000 virtual server.

For example, if you create a new Exchange 2000 virtual server that is called Exchange1, and give it the cluster disk resource of drive I, the following folder is created: This folder is shared out to the Everyone group on the network, which allows a virus to infect the files in the folder.

Fortunately, although the files in the .log folder can be infected by a virus such as the Nimda virus, none of the files are executable files; therefore, the files do not allow the virus to spread to other files on the nodes in your Exchange 2000 cluster. The Nimda virus is unable to infect the Admin.dll file or spread itself to other computers on the network after the virus infects the log files. However, if your antivirus program moves these log files because they are infected, new log files are created and re-infected, which might result in continual antivirus program notifications about the same files being infected again and again.

To resolve this problem, use an account with Administrator rights on the servers to change the access on these .log folders to read-only. Use the following steps on each node in the cluster that is in control of an Exchange 2000 virtual server:

1. On the desktop, right-click the My Computer icon, and then click Manage in the shortcut menu.
2. In the Computer Management tree, double-click Shared Folders to open it, and then click Shares.
3. In the list of shared folders on the right, a share is displayed for each Exchange 2000 virtual server that this node currently controls in the cluster. The shared folder is named virtual_server_name.log (where virtual_server_name is the name that you gave the new Exchange 2000 virtual server). Double-click this shared folder name to open its properties. Click the Share Permissions tab in the properties.
4. Click the Everyone group. Under Permissions, click to clear the Full Control and Change check boxes, so that the only permission left granted to the group Everyone is Read. Click OK to save the changes and close the Computer Management window.
5. Look at the file permissions for all of the other shares on this cluster node and make sure that none the other shares are shared out to the Everyone group with full access; if shares are shared out to the Everyone group with full access, those folders also are at risk of virus infection.

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.