Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 981

VIRUS:POP3:MYROMEO-MYJULIET
VIRUS:POP3:NAVIDAD
VIRUS:POP3:NIMDA
VIRUS:POP3:PAPA
VIRUS:POP3:PASSION
VIRUS:POP3:PIKACHU-POKEMON
Copyright © 2010, Juniper Networks, Inc.
This signature detects e-mail attachments with the name
'myjuliet.chm' accompanied by myromeo.exe and sent via
POP3. This may indicate the e-mail virus Verona is
attempting to enter the system. Because CHM files are
compressed HTML files, myjuliet.chm is activated when
viewed in the Microsoft Outlook preview pane; once
triggered, the CHM file runs myromeo.exe in the background.
Myromeo.exe obtains e-mail addresses from the Microsoft
Outlook database, sends infected e-mail messages to all
addresses found, and edits the Window directory file hh.dat.
This signature detects e-mail attachments named
'navidad.exe' sent via POP3. This may indicate the e-mail
virus Navidad is attempting to enter the system. The
executed file copies itself as winsvrc.vxd to the Windows
system directory and edits the Registry to run the virus on
reboot, installs into the system tray, and displays a dialog
box with the text 'UI.' The virus also intercepts new incoming
e-mail addresses and sends infected e-mail messages to
all senders.
This signature detects e-mail attachments named
'readme.exe' sent via POP3. This may indicate the e-mail
virus Nimda is attempting to enter the system. The executed
file installs to the Windows directory, edits the Registry to
run the virus on reboot, and infects Internet-related files.
Nimda then obtains e-mail addresses and sends infected
messages to all addresses found using its own SMTP server.
This signature detects e-mail attachments named 'xpass.xls'
sent via POP3. This may indicate the e-mail virus Papa is
attempting to enter the system. The executed Microsoft
Excel file obtains e-mail addresses from Microsoft Outlook
database and sends infected messages to the first 60
addresses found. Papa also attempts to create a
denial-of-service (DoS) by pinging the all.net Web server.
This signature detects e-mail attachments named
ICQ_Greeting.exe sent using POP3. This may indicate the
e-mail virus Passion is attempting to enter the system. The
executed file copies itself to local root drive, edits the registry
to run the virus on reboot, and deletes files. Passion then
obtains e-mail addresses from the Microsoft Outlook
database and sends infected messages to the first 50
addresses found.
This signature detects e-mails with the subject 'Pikachu
Pokemon' sent via POP3. This may indicate the e-mail virus
Pikachu Pokemon is attempting to enter the system. The
executed file displays a "friendly" message featuring Pikachu
while it overwrites the Autoexec.Bat file to delete most
Microsoft Windows 9x system files upon reboot. Pikachu
then obtains e-mail addresses from Microsoft Outlook
database and sends infected messages to all addresses
found.
Appendix E: Log Entries
high sos5.1.0
high sos5.1.0
critical sos5.1.0
critical sos5.1.0
critical sos5.1.0
critical sos5.1.0
931