Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 993

VIRUS:POP3:TIMOFONICA
VIRUS:POP3:TOADIE
VIRUS:POP3:TRIPLESIX
VIRUS:POP3:TUNE
Copyright © 2010, Juniper Networks, Inc.
This signature detects e-mail attachments named
'Timofonica.txt.vbs' sent via POP3. This may indicate the
e-mail virus Timofonica is attempting to enter the system.
The executed file creates cmos.com and edits the Registry
to run the virus on reboot. When cmos.com is run, it erases
CMOS memory, MBRs from the first four physical hard disks,
and MBRs and DOS Boot Records of extended partitions.
Timofonica also obtains e-mail addresses from the Microsoft
Outlook database and sends infected messages to all
addresses found. Simultaneously, the virus e-mails the SMS
gateway at Moviestar.net and send SMS messages to
random cellular phone numbers.
This signature detects e-mail attachments named
'Toadie.exe' sent via POP3. This may indicate the e-mail
virus Toadie is attempting to enter the system. The executed
file infects EXE files by relocating the initial 7800 bytes to
the end of the file, encrypting those bytes, and writing 7800
bytes of its own DOS program to the beginning of the file,
thus changing EXE files to DOS files. When run, the virus
code first infects more EXE files before passing control.
Toadie also replaces unsent e-mail messages in Pegasus
Mail, and may send copies of itself via IRC.
This signature detects e-mail attachments named
'666test.vbs' sent via POP3. This may indicate the e-mail
virus TripleSix is attempting to enter the system. The
executed file displays three dialogue boxes leading the user
through the game "Does your name add up to 666?". The
virus then copies WINTEMP.TXT to the Windows directory;
this file creates WINTEMP.EXE (a PkZip executable), which
in turn creates 666TEST.ZIP (an archive). The archive is
copied to the Windows system directory as WINSWAP.SWP.
Triplesix also writes REGSVR.VBS to the Windows system
directory and edits the Registry to run that script on reboot.
When REGSVR.VBS is activated, it obtains e-mail addresses
from the Microsoft Outlook database and sends infected
messages to all addresses found, overwrites mIRC and Pirch
setup files, and sends infected messages via IRC.
This signature detects e-mail attachments named 'Tune.vbs'
sent via POP3. This may indicate the e-mail virus Tune is
attempting to enter the system. The executed file copies
itself to the Windows, Windows system, and Temporary
directories and edits the Registry to run the virus on reboot.
When activated, it obtains e-mail addresses from the
Microsoft Outlook database and sends infected messages
to all addresses found, overwrites mIRC and Pirch setup files,
and sends infected messages via IRC.
Appendix E: Log Entries
critical sos5.1.0
high sos5.1.0
high sos5.1.0
high sos5.1.0
943