Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 985

VIRUS:SMTP:DUMARU.J
VIRUS:SMTP:EICAR-ATTACHMENT
VIRUS:SMTP:EXE-ATTACH-1
VIRUS:SMTP:EXE-IN-ZIP
VIRUS:SMTP:NAIL
VIRUS:SMTP:RESUME-EXPLORER-DOC
VIRUS:SMTP:SOBIG-ATTACHMENTS
Copyright © 2010, Juniper Networks, Inc.
This signature detects the J variant of the Dumaru SMTP
virus. Dumaru sends e-mails with the subject line: "Important
information for you. Read it immediately!"; the e-mail
includes a .zip attachment that contains a malicious payload
disguised as a picture. When the picture is viewed, the
malicious executable program infects the target host. The
virus then sends a copy of itself to e-mail addresses found
in the target's address book, using the target's e-mail address
as the return address.
This signature detects the EICAR antivirus test file sent as
an e-mail attachment.
This signature detects Win32 executables sent as a MIME
attachment. Many viruses, worms, and other malicious
programs are transmitted through SMTP attachments. You
might want to block all executable attachments and instead
require your users to send executables in a compressed
format.
This signature detects Win32 executables sent within a ZIP
file as a MIME attachment. Many viruses, worms, and other
malicious programs are transmitted through SMTP
attachments. You might want to block all executable
attachments.
This signature detects attempts by the e-mail virus Nail to
enter the system. When executed, the virus assigns the
Microsoft Word auto.dot template to a template located on
an attacker Web site, enabling the attacker to upload new
virus code. Nail then starts a MAPI (Mail API) session, obtains
e-mail addresses from the Microsoft Outlook database, and
sends infected e-mail messages to all addresses found.
Finally, the virus sends an e-mail message to
chainnail@hotmail.com, assumed to be the e-mail address
of the virus author.
This signature detects e-mail attachments named
'EXPLORER.DOC' sent via SMTP. This may indicate the
e-mail virus Resume is attempting to enter the system. The
executed file obtains e-mail addresses from Microsoft
Outlook database and sends infected messages to all
addresses found. When the file is closed, Resume creates
directory C:Data, copies itself there as Normal.dot, and edits
the Registry to run the virus on reboot. The virus then
attempts to delete all files from several directories (including
Windows) and all drives from A: to Z:.
This signature detects e-mail attachments with one of the
following file name sent via SMTP: approved.pif,
application.pif, doc_details.pif, movie28.pif, password.pif,
ref-39xxxx.pif, screen_doc.pif, screen_temp.pif, _approved.pif.
This may indicate the SOBIG e-mail virus is attempting to
enter the system.
Appendix E: Log Entries
high sos5.1.0
info sos5.1.0
medium sos5.1.0
medium sos5.1.0
high sos5.0.0
low sos5.1.0
medium sos5.1.0
935