Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 962

Network and Security Manager Administration Guide
TROJAN:AUTOPROXY:INFECTED-HOST
TROJAN:MISC:MOONPIE3-FTP-RESP
TROJAN:MISC:WANREMOTE-ADMIN
TROJAN:MS-04-028:BACKDOOR-LOGIN
TROJAN:MS-04-028:TOOL-DOWNLOAD
TROJAN:PHATBOT:FTP-CONNECT
TROJAN:QAZ:TCP25-CALLING-HOME
VIRUS:POP3:BABYLONIA
VIRUS:POP3:BADASS
VIRUS:POP3:EICAR-ATTACHMENT
912
This signature detects the AutoProxy trojan attempting to
contact a master server and register the IP address and open
ports of the infected host. AutoProxy is a trojan that installs
a proxy server on Microsoft Windows hosts. Attackers may
use an infected host to attack other targets while masking
their actual IP address.
This signature detects a banner from the FTP server
embedded in the MoonPie backdoor version 3.0 (other
versions may also be detected).
This signature detects access to the WanRemote
administration interface using the HTTP protocol.
This signature detects login attempts from a client infected
with a trojan installed as part of the Microsoft GDI+ Library
JPEG overflow exploit.
This signature detects attempts by a specific trojan to
download files. The trojan, installed as part of the Microsoft
GDI+ Library JPEG Overflow exploit, is attempting to
download updated files from a remote host.
This signature detects Phatbot FTP connections. Phatbot,
a trojan similar to Agobot but with more functionality, sends
spam from an infected host machine.
This signature detects the string 'nongmin_cn' within an
SMTP header-from field sent from a remote system to local
server port 25. This may indicate an attacker is attempting
to access the Trojan/Worm QAZ. The QAZ Trojan/Worm,
famous for infecting the Microsoft network October 2000,
allows attackers to access data and gain control over some
functions on remote Microsoft Windows systems.
This signature detects e-mail attachments with the file name
"x-mas.exe' sent via POP3. This may indicate the Babylonia
e-mail virus is attempting to enter the system. The executed
virus infects all files greater than 8kb, installs automatic virus
updaters, and allows attackers to further compromise the
system by uploading trojans, creating backdoors, etc.
This signature detects e-mail attachments with the file name
'badass.exe' sent via POP3. This may indicate the BadAss
e-mail virus is attempting to enter the system. The executed
virus displays a message box with specified text, opens the
Microsoft Outlook database, and sends infected messages
containing a Dutch phrase to all addresses found.
This signature detects the EICAR antivirus test file sent as
an e-mail attachment.
critical sos5.0.0,
sos5.1.0
high sos5.1.0
medium sos5.1.0
critical sos5.1.0
high sos5.1.0
high sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.1.0
high sos5.1.0
info sos5.1.0
Copyright © 2010, Juniper Networks, Inc.