Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 992

Network and Security Manager Administration Guide
VIRUS:POP3:PRETTY-PARK
VIRUS:POP3:SIMBIOSIS
VIRUS:POP3:SUPPL
VIRUS:POP3:THEFLY
942
This signature detects e-mails with the subject
'C:\CoolProgs\Pretty Park.exe' sent via POP3. This may
indicate the e-mail virus Pretty Park is attempting to enter
the system. The executed file copies itself to the Windows
System directory as FILES32.VXD and edits the Registry to
run the virus on reboot. Pretty Park then obtains e-mail
addresses from Microsoft Outlook database and sends
infected messages to all addresses found every 30 minutes.
The virus also attempts to contact its author via IRC chat
every 30 seconds; attackers may use the installed virus as
a backdoor remote access tool to further compromise the
system.
This signature detects e-mail attachments named
'SETUP.EXE' sent via POP3. This may indicate the e-mail
virus Simbiosis (Cholera worm executable containing a CTX
virus) is attempting to enter the system. The executed
Cholera worm copies itself to the Windows directory and
edits either the WIN.INI file (Windows 9x) or the Registry
(NT) to run the virus on reboot. Simbiosis then obtains e-mail
addresses from Internet-related files and sends infected
messages to all addresses found using its own SMTP server.
The executed CTX virus appends and infects Microsoft
Windows PE executables; the virus does not carry a payload
and is apparent only through a video effect.
This signature detects e-mail attachments named
'Suppl.doc' sent via POP3. This may indicate the e-mail
virus/trojan Suppl is attempting to enter the system. The
executed file macros copy the active (virus) document to
the Windows directory as Anthrax.ini and decompress the
malicious Wsock32.dll file appended to Suppl.doc. On
reboot, the virus file DLL.tmp replaces the malicious
Wsock32.dll and the original Wsock32.dll is renamed to
Wsock33.dll. Suppl then attaches to all outgoing SMTP
e-mail messages, locates files with common extensions
(DOC, .TXT, .ZIP, etc) on available hard drives, and truncates
those files to zero bytes.
This signature detects e-mail attachments named
'The_Fly.chm' sent via POP3. This may indicate the e-mail
virus The Fly is attempting to enter the system. The executed
file copies itself as THE_FLY.CHM to the Windows directory,
as DXGFXB3D.DLL to Windows system directory, and opens
a graphic with message 'If you ride a motorcycle, close your
mouth'. The Fly then copies MSJSVM.JS to the Windows
system directory and edits the Registry to run this JavaScript
upon reboot. The virus also obtains e-mail addresses from
the Microsoft Outlook database and sends infected
messages to all addresses found.
critical sos5.1.0
high sos5.1.0
critical sos5.1.0
high sos5.1.0
Copyright © 2010, Juniper Networks, Inc.