Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 979

VIRUS:POP3:EUROCALCULATOR
VIRUS:POP3:EXPLOREZIP-B
VIRUS:POP3:FIX2001
VIRUS:POP3:FREELINK
VIRUS:POP3:HAPPY99
VIRUS:POP3:IROK
Copyright © 2010, Juniper Networks, Inc.
This signature detects e-mail attachments with the file name
'Eurocalculator.exe' sent via POP3. This may indicate the
Eurocalculator Trojan is attempting to enter the system. The
executed file installs a remote administration Trojan similar
to Back Orifice, allowing attackers to access data and gain
control over some functions on remote Microsoft Windows
systems.
This signature detects e-mail attachments with the file name
'zippati.exe' sent via POP3. This may indicate the e-mail
virus ExploreZip.B is attempting to enter the system. The
executed.ZIP file (zippati in Italian) installs the program
explore.exe, which edits the host and visible networked
WIN.INI files to run explore.exe on startup. The virus also
searches all local and visible networked drives for common
file types (.ASN, .C, .CPP, .DOC, .H, .XLS, .PPT) and reduces
them to zero bytes.
This signature detects e-mail attachments with the file name
'fix2001.exe' sent via POP3. This may indicate the e-mail
virus Fix2001 is attempting to enter the system. The executed
file edits the Registry to run the virus on startup, obtains
e-mail addresses from sent and received messages, and
sends infected e-mail messages to all addresses found. If
the virus is patched or corrupted, it also overwrites the
C:COMMAND.COM file with a denial-of-service (DoS) (DoS)
trojan that erases all drive data upon reboot.
This signature detects e-mail attachments named 'Link.vbs'
sent via POP3. This may indicate the VBS.Freelink e-mail
virus is attempting to enter the system. The executed virus
edits Microsoft Windows Registry entries, opens the
Microsoft Outlook database, and sends infected messages
to all addresses found.
This signature detects e-mails with the header 'X-Spanska:
Yes' and the UU-encoded attachment 'Happy99.exe' sent
via POP3. This may indicate the e-mail virus/worm
Happy99/Ska is attempting to enter the system. The
executed file edits files (notably WSOCK32.DLL) in the
system directory, obtains e-mail addresses from sent and
received messages, and sends infected e-mail messages to
all addresses found. Once WSOCK32.DLL is successfully
modified, the virus/worm also exhibits a message box
animation routine of a fireworks display.
This signature detects e-mail attachments named 'irok.exe'
sent via POP3. This may indicate the e-mail virus Irok is
attempting to enter the system. The executed file exhibits
a message box animation routine of a starfield while copying
itself to the Windows system directory and writing the file
Irokrun.vbs to the Startup directory. Upon reboot, the VB
script uses Windows Scripting Host (WSH) to open the
Microsoft Outlook database and send infected files to up to
60 addresses found. This virus also install the file script.ini
to the m IRC directory and use dcc to send irok.exe to IRC
clients who join the channel.
Appendix E: Log Entries
critical sos5.1.0
critical sos5.1.0
critical sos5.1.0
high sos5.1.0
high sos5.1.0
high sos5.1.0
929