Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 986

Network and Security Manager Administration Guide
VOIP:MGMT:XPRESSA-HTTP-DOS
WORM:AGOBOT:HTTP-SHARE-ENUM
WORM:AGOBOT:PY-HTTP-PROP
WORM:BAGLE:AF-HTTP
WORM:BAGLE:AF-SMTP
WORM:BERBEW:KEYLOGGER-UPLOAD
WORM:BOBAX:C-PHONE-HOME-DNS
WORM:CODERED:INFECTION-ATTEMPT
936
This signature detects attempts to exploit a vulnerability in
Pingtel Xpressa phones. Attackers may supply an overly long
request to the HTTP management server on the phone to
execute arbitrary code or crash the phone (the phone must
be rebooted).
This signature detects attempts by the Agobot worm to
enumerate SMB shares via HTTP.
This signature detects the PY variant of the Agobot worm
as it attempts to infect another host. This signature could
be prone to false positives.
This signature detects the AF variant of the Bagle SMTP
virus. Bagle sends e-mails that contain an attachment with
a malicious payload. When the attachment is viewed, the
payload uses HTTP to load an external link, which is actually
an executable program that infects the target host. The virus
then sends a copy of itself to e-mail addresses found on the
target's hard drive, using the target's e-mail address as the
return address.
This signature detects the AF variant of the Bagle SMTP
virus. Bagle sends e-mails to victims with an attachment
with malicious payload. Attempting to view the attachment,
which is actually an executable program, infects the user.
The virus then sends a copy of itself to e-mails found
searching the victim's hard drive for addresses, with the
victim's e-mail address as the return address.
This signature detects the Berbew worm as it uploads
keylogger information to a listening post. Berew monitors
user keystrokes for financial data and reports that
information to an attacker via HTTP to a listening post.
Source IP addresses that trigger this signature are extremely
likely to be infected with the Berbew worm.
This signature detects Bobax worm activity. The C variant
of the Bobax worm attempts to lookup the correct IP
addresses for listening post servers set up by the Bobax virus
authors. Because lookups for these addresses are extremely
suspicious, you should investigate the source device for
Bobax infection. However, this signature detects Bobax
activity (not Bobax infection attempts), and cannot be used
to prevent Bobax infection. To prevent Bobax infection,
configure your security policy to drop traffic that matches
the signatures "Windows RPC: LSASS Malicious OpCode"
and "Windows RPC: LSASS DCE-RPC Oversized Fragment".
The signature detects attempts to infect an Microsoft IIS
server with the Code Red worm using a .ida buffer-overflow
attack. The installed worm downloads code from the donor
host, creates a backdoor on the victim, and sets up 100
threads of the worm that scan for other vulnerable hosts
using random IP addresses. Code Red also checks the host
system time; on the 20th of each month (GMT), all infected
systems send 100k bytes of data to TCP/80 of
www.whitehouse.gov, causing a denial-of-service (DoS).
medium sos5.1.0
medium sos5.1.0
high sos5.1.0
high sos5.1.0
high sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.1.0
medium sos5.0.0,
sos5.1.0
Copyright © 2010, Juniper Networks, Inc.