Ransomware: High rate dropbox attack Switzerland 24-25.08.2016 to Healthcare

MalwareFortiguard: JS/Nemucod.ARH!tr

We have seen a high rate of 50-100 Attachments per customer with correct E-Mail address with Ransomware sent out from:


Fortiguard and Mcafee did find it around 12:30 to clock 24.08.2016 BUT not before.

The URL's which were listed in the E-Mail content where listed at that time. The E-Mail contains a Link

From a Commerzbank hosted on a Dropbox account.

Second wave contains an attachment rechnung.zip


Raw Log from Fortimail

2850,"2016-08-24","12:38:53","Virus Signature","Reject",,"no-reply@dropbox.com","customer01@butsch.ch","Ihre Mahnung vom 23.08.2016","u7OAcqI9021476-u7OAcqIB021476","f3.81.b6.static.xlhost.com []","",17405,"in","mta","0:3:3","butsch.ch","JS/Nemucod.ARH!tr","OK","0200021477",,"statistics"    

2855,"2016-08-24","12:35:31","Grey List","Delay",,"no-reply@dropbox.com","customer01@butsch.ch",,"u7OAZU4S021464-u7OAZU4U021464","133-53-143-63.static.reverse.lstn.net []","",0,"in","mta","0:3:3","butsch.ch",,"FORGED","0200021465",,"statistics"    

"2856,""2016-08-24"",""12:34:24"",""FortiGuard AntiSpam-IP"",""Reject"",,""no-reply@dropbox.com"",""customer01@butsch.ch"",""=?windows-1251?B?RGVubmlzIExlbmcgaGF0IGRpZSBTYW1tbHVu?=    =?windows-1251?B?ZyCEUmVjaG51bmcuemlwkyBmdXIgU2llIGZy?=    =?windows-1251?B?ZWlnZWdlYmVuLg==?="",""u7OAYNrr021457-u7OAYNrt021457"",""6-219-63-74.static.reverse.lstn.net []"","""",6997,""in"",""mta"",""0:3:3"",""butsch.ch"",,""FORGED"",""0200021458"",,""statistics"""    

2857,"2016-08-24","12:34:09","Grey List","Delay",,"no-reply@dropbox.com","customer01@butsch.ch",,"u7OAY8wv021455-u7OAY8wx021455","131-53-143-63.static.reverse.lstn.net []","",0,"in","mta","0:3:3","butsch.ch",,"FORGED","0200021456",,"statistics"    

"2859,""2016-08-24"",""12:33:14"",""Not Spam"",""Accept"",,""no-reply@dropbox.com"",""customer01@butsch.ch"",""=?windows-1251?B?V2lsbGlhbSBCZXJyeSBoYXQgZGllIFNhbW1s?=    =?windows-1251?B?dW5nIIRSZWNobnVuZy56aXCTIGZ1ciBTaWUg?=    =?windows-1251?B?ZnJlaWdlZ2ViZW4u?="",""u7OAXC7Y021443-u7OAXC7c021443"",""f5.81.b6.static.xlhost.com []"","""",7035,""in"",""mta"",""0:3:3"",""butsch.ch"",,""OK"",""0200021444"",,""statistics"""    

Exchange: Public Folder / System Folder replicate which ones?

This is an often question we had seen and there is a KB which gives a good overview which folders are from what version of Exchange.

Sadly The Microsoft Script ".\AddReplicaToPFRecursive.ps1 -server "SBSERVER2" -TopPublicFolder "\non_ipm_subtree" -ServerToAdd "SBSERVER2"" does not handle that KB or has the knowledge what to replicate and not.

We had a case where the OLD Exchange 2010 "System Folders" under "\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1" was replicated from 2010 to a replaced DAG member 2010. The customer also had

Mcafee Security for Exchange 8.5 P1 running which lets you exclude Public Folder for Mailbox Scanning but NOT on the HUB function. Because we had a file filter for .JS the replication files triggered an alert.


Here is the alert because of the JS extension of replication of old Exchange 2000 public folder structure:

Datum/Zeit gesendet


08/04/2016 03:04:13



Folder Content Backfill Response







Das wurde gemacht





File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter (ctrl_Tree20.js; ctrl_View20.js; dlg_anr.js; dlg_ANR20.js; dlg_gal.js; dlg_GAL20.js; dlg_MoveCopy20.js; dlg_NewFolder20.js; dlg_Options20.js; dlg_recurrence.js; dlg_Recurrence20.js)






ctrl_Tree20.js; ctrl_View20.js; dlg_anr.js; dlg_ANR20.js; dlg_gal.js; dlg_GAL20.js; dlg_MoveCopy20.js; dlg_NewFolder20.js; dlg_Options20.js; dlg_recurrence.js; dlg_Recurrence20.js

Server auf dem dies gemacht wurde





OnAccess (Transport)

McAfee DAT welches verwendet wurde





Exchange OLE DB Provider


EXOLEDB Introduction

EXOLEDB creates a number of system folders under the NON_IPM_SUBTREE during the Accept Clients phase of message database (MDB) initialization. Some of the folders remain for historic reasons, but most have useful purposes. If the folders are deleted, it can affect the server. None of these folders should be replicated. The folders that are created include the following:

  • \NON_IPM_SUBTREE\schema-root\
  • \NON_IPM_SUBTREE\schema-root\Default
  • \NON_IPM_SUBTREE\schema-root\Microsoft\
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\controls
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\img
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\views
  • \NON_IPM_SUBTREE\StoreEvents\
  • \NON_IPM_SUBTREE\StoreEvents\GlobalEvents
  • \NON_IPM_SUBTREE\StoreEvents\Internal

In all cases, subfolders named with the GUID correspond to the MDB object with the same GUID.

The first folders created are the schema folders.


The following list introduces the schema-root:

  • \NON_IPM_SUBTREE\schema-root\

    This was introduced in Exchange 2000 Server.

  • \NON_IPM_SUBTREE\schema-root\Default

    This was introduced in Exchange 2000 Server Service Pack 1 (SP1).

  • \NON_IPM_SUBTREE\schema-root\Microsoft\

    This was introduced in Exchange 2000 Server SP1.

  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1

    This was introduced in Exchange 2000 Server SP1.

The following shows a typical schema path for a public MDB:

  • File://.BackOfficeStorage/<domain>/<TLHName>/NON_IPM_SUBTREE/schema-root/microsoft/exchangeV1

The private MDB schema path is under the system attendant mailbox.

EXOLEDB supports multiple schemas, or property type definitions. These folders support the Exchange Web Store development platform. The idea was that folder items could reference various versions of the schema and exist alongside each other. At one point in Exchange 2000 Server, schema files were in the schema root folder, and changes to the schema effectively propagated to all items. Because this lead to problems in the application development workspace, where each item needed to be handled to remove or add props as appropriate, Microsoft adopted a versioning method. Under schema-root, Microsoft creates subfolders with application and version elements to allow effectively seamless upgrades. EXOLEDB watches the schema folders for changes, so that it can propagate the entries, dump the schema cache, and repopulate as processing occurs. The \schemaroot\default folder is where normal folder items obtain their schema, and the schema-root folder is flagged as pointing to the ExchangeV1 folder. EXOLEDB populates the schema entries from the .xml files, which are processed by an event sink, EXSCHEMA.EXE. The schema event sink binding cannot be deleted or removed, because it does not have an entry in the EventBindings folder like most events.

EXCHWEB, Views, IMG, and Controls

The following list introduces EXCHWEB, views, IMG, and controls:





Introduced in Exchange 2000 Server SP1, these items were not populated in Exchange 2000 Server Service Pack 3 (SP3), and they are not populated in Exchange Server 2003.

For the local store to open items that reference Microsoft Outlook® Web Access control functionality, the files must be in a folder that can be synchronized. These folders once contained copies of the Web data for Outlook Web Access to allow LIS stored items to open, but have never actually been used outside of LIS.

Next, EXOLEDB starts the event binding system, which creates StoreEvents.



All store event folders described in the following list have been present since Exchange 2000 Server:

  • \NON_IPM_SUBTREE\StoreEvents\
  • \NON_IPM_SUBTREE\StoreEvents\GlobalEvents
  • \NON_IPM_SUBTREE\StoreEvents\Internal

This is the event binding folder, where EXOLEDB stores information on events built to a specific MDB. At startup, EXOLEDB must enumerate the events here, which can lead to long store startup times with large event sink numbers. Exchange Server 2003 performance in this area is greatly improved, but time to mount an MDB is still affected by the number of rows. Each binding is validated for class, having a valid event method, such as onsave or ontimer, valid clsid, and sink parameters. Events with a match class of ANY can only be registered in the GlobalEvents subfolder.

After creating the schema folders and starting the event bindings system, EXOLEDB creates the Outlook Web Access scratch pad.



The OWAScratchPad was introduced in Exchange 2000 Server SP1. It appears as follows:


Posts have to start out somewhere to have attachments, and for public store logons, that place is the Outlook Web Access scratch pad. Because Distributed Authoring and Versioning (DAV) does not cross MDB operations, you need a point on every mailbox where you can always write posts to, so that you can support adding attachments. The posts are staged in the OWAScratchPad until all attachments are added, or they are saved. The size limit on the Outlook Web Access scratch pad controls the size of attachments that can be added through Outlook Web Access. Attempts to post larger messages should result in the following error:

  • This item exceeds the maximum size defined for this folder and cannot be saved. Contact your administrator to have the folder limits increased.

The size of OWAScratchPad is always reset to 1 megabyte (MB) at EXOLEDB initialization if the registry key HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA REG_DWORD value "Message Size Limit" is not set. This is required for Microsoft SharePoint® Portal Server, because EXOLEDB has no idea if you are running in magma mode.

Outlook Web Access posts to the scratch pad are done in flat URL format, meaning they directly reference the folder and message. This is to support deep vroots where the friendly URL might be too long.


Consider the following frequently asked questions (FAQs).

What causes duplicate system folders?

There are two categories for this question:

  • Active Directory objects   When a store is deleted, you have no way to tell Active Directory that the public folder objects went away. Then, when folders are re-created, they do not get attached to the corresponding Directory Service objects. New Directory Service objects are created.
  • Actual folders   If the folders are set to replicate, and the store in question is deleted, EXOLEDB will re-create the folders on startup, and replication can then create a second duplicate of any such folders. This causes problems with event bindings. Deleting the duplicate folders through friendly URLs is dangerous, because the two will often have duplicate friendly URLs.

Why do folders get strange names?

When the number of system folders with the same number grows, a random number is appended to the Directory Service proxy to make it unique, resulting in names like controls12345678.

Why can I not delete folders?

If you were to delete the folders, EXOLEDB would put them back. Also, most of these folders have uses that will adversely affect the operation of the server if not present.

How do I fix missing schema folders?

If schema folders are missing, that is, not present under the ipm subtree, setting the following registry key to a REG_DWORD value of 0, causes the schema to be repopulated:


What permissions are used on schema folders?

EXOLEDB automatically grants everyone read access to schema folders. This access control list (ACL) could be modified, but would be deleted if schema propagation were re-triggered.

Do you need to replicate those folders when servers are decommissioned?

You do not have to replicate folder content as part of the replicate system folders procedures.

For More Information

For more information, see the following Exchange blog entry:

SOPHOS: Unable to SSH after Update to 9.4 latest Release 9.404-5

You did all right as mentioned under but are unable to logon:


Error: Network error:Software caused connection abort

Solution: download latest Version from Putty and it will work again




WSUS: Error on 2012R2 WSUS Server ERROR: Connection Error console

The WSUS Server Console on a 2012R2 server suddenly does not work anymore. You checked %appdata%\Roaming\Microsoft\MMC\WSUS (Backup, Remove try if it works and restore if did not solve) and this did not help.

You checked all Services and did a reboot of the WSUS and checked space and Size of Internal DB.

Error: Event 507, Windows Server Update Server

Error: Event 7031, The WSUS Server Service terminated


Error as Text from GUI

The WSUS administration console was unable to connect to the WSUS Server via the remote API.


Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.


The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,


Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.


System.IO.IOException -- The handshake failed due to an unexpected packet format.


Source System


Stack Trace:

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)

at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)

at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)

at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)

at System.Net.ConnectStream.WriteHeaders(Boolean async)

** this exception was nested inside of the following exception **



System.Net.WebException -- The underlying connection was closed: An unexpected error occurred on a send.





Stack Trace:

at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)

at Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)

at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()

at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.get_ServerTools()






"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing



  • Console should work again



This article describes an update to a feature that enables Windows Server Update Services (WSUS) to natively decrypt Electronic Software Distribution (ESD) in Windows Server 2012 and Windows Server 2012 R2. Before you install this update, see the Prerequisites section.

Note You must install this update on any WSUS server that is intended to sync and distribute Windows 10 upgrades (and feature updates) that are released after May 1, 2016.

How to get this update


Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Windows Update


This update is available on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Update detail information



To apply this update in Windows Server 2012 R2, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed.

Registry information

To apply this update, you don't have to make any changes to the registry.


Restart requirement

You may have to restart the computer after you apply this update.


Update replacement information

This update can be installed on top or in place of KB3148812.


More information

Manual steps required to complete the installation of this update

  1. Open an elevated Command Prompt window, and then run the following command (case sensitive, assume "C" as the system volume):

"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

  1. Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.

  2. Restart the WSUS service.

If SSL is enabled on the WSUS server

  1. Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):
  2. takeown /f web.config /a

icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f

  1. Locate the Web.Config file in the following path:

C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config

  1. Make the following changes in the file.

    Note This code sample represents a single text block. The line spacing is used only to emphasize the text changes, which are shown in bold.
  2. <services>
  3. <service
  4. name="Microsoft.UpdateServices.Internal.Client"



These 4 endpoint bindings are required for supporting both http and https


<endpoint address=""



contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address="secured"



contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address=""



contract="Microsoft.UpdateServices.Internal.IClientWebService" />

<endpoint address="secured"



contract="Microsoft.UpdateServices.Internal.IClientWebService" />



  1. Add the multipleSiteBindingsEnabled="true" attribute to the bottom of the Web.Config file, as shown:
  2. </bindings>
  3. <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />



Deployment: Adobe goes Complete nuts!

Not only they keep us jumping around in Deployment for almost 10 years now.

Just by the time they Release a new unsecure Flash Player each 2 weeks they decide to cancel

the open Download portal and exist that every customer signs the Enterprise Agreement. 75%

of the people who use that Link have Millions and Billions of Adobe Acrobat and Photoshop running.

You not gone get any more customer Adobe!



I like Flash and in switzerland there where companys who Made Great Flash Games 15 years ago

…But enough is enough now….