Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 972

Network and Security Manager Administration Guide
WORM:NETSKY:V-SMTP-PROP
WORM:NIMDA:BIN-255-CMD
WORM:NIMDA:MSADC-ROOT
WORM:NIMDA:NIMDA-EML
WORM:NIMDA:NIMDA-NWS
WORM:NIMDA:NIMDA-RICHED20
WORM:NIMDA:SCRIPTS-C11C-CMD
922
This signature detects the V variant of the NetSky worm.
The V variant encodes a malicious HTML script in the body
of an e-mail sent to the target host. Due to a known
vulnerability, Microsoft Outlook and Outlook Express process
the encoded script when the e-mail appears in the preview
pane (the e-mail does not need to be opened). The script
downloads the NetSky worm from known Internet sites and
installs the worm on the target host.
This signature detects attempts to infect a Microsoft IIS Web
server with the Nimda worm. Nimda may infect other Web
servers by obtaining e-mail addresses and sending a copy
of itself in infected messages using its own SMTP or POP3
server; adding files to a system configured to allow Windows
file shares; or posting an infected HTML e-mail to the Web
server where it can be accessed via HTTP.
This signature detects attempts to infect a Microsoft IIS Web
server with the Nimda worm. Nimda may infect other Web
servers by obtaining e-mail addresses and sending a copy
of itself in infected messages using its own SMTP or POP3
server; adding files to a system configured to allow Windows
file shares; or posting an infected HTML e-mail to the Web
server where it can be accessed via HTTP.
This signature detects attempts to create .EML files on the
system, a common sign of the NIMDA worm. The worm
browses remote directories and creates .EML files (the
worm's multi-part messages containing a MIME-encoded
worm) with the same names as existing documents or Web
page files.
This signature detects attempts to create a .NWS file on the
system, a common sign of the NIMDA worm. The worm
browses remote directories and creates .NWS files (the
worm's multi-part messages containing a MIME-encoded
worm) with the same names as existing documents or Web
page files.
This signature detects attempts to create the file
RICHED20.DLL on the system, a common sign of the NIMDA
worm. The worm may overwrite the original RICHED20.DLL
in the Windows systems folder with a binary copy of itself,
and place additional copies in all folders containing .DOC or
.EML files.
This signature detects attempts to infect a Microsoft IIS Web
server with the Nimda worm. Nimda may infect other Web
servers by obtaining e-mail addresses and sending a copy
of itself in infected messages using its own SMTP or POP3
server; adding files to a system configured to allow Windows
file shares; or posting an infected HTML e-mail to the Web
server where it can be accessed via HTTP.
high sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.1.0
medium sos5.1.0
high sos5.1.0
medium sos5.0.0,
sos5.1.0
Copyright © 2010, Juniper Networks, Inc.