Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 994

Network and Security Manager Administration Guide
VIRUS:POP3:UUENCODED-DOT-VBS
VIRUS:POP3:WSCRIPT-KAK
VIRUS:POP3:Y2K-ZELU
VIRUS:POP3:ZIPPED
VIRUS:SMTP:BAGLE.Q-SMTP
VIRUS:SMTP:DOUBLE-DOT-DOT
944
This signature detects e-mail attachments containing the
string 'begin' and the file extension 'vbs' sent via POP3. This
may indicate the e-mail virus LoveLetter is attempting to
enter the system. The executed file copies itself to the
Windows system directory and edits the Registry to run the
virus on reboot; when activated, it downloads a trojan from
a specified web site that deletes security keys and sends
stolen passwords to its owner. LoveLetter also obtains e-mail
addresses from the Microsoft Outlook database and sends
infected messages to all addresses found, overwrites mIRC
and Pirch setup files, and sends infected messages via IRC.
This signature detects e-mails containing 'kak.hta' sent via
POP3. This may indicate the e-mail virus Kak is attempting
to enter the system. The virus arrives embedded within
Microsoft Outlook message signature file as kak.htm, and
activates when viewed in the Microsoft Outlook preview
pane. Once triggered, the file copies itself as kak.hta to the
Windows startup and system directories; on reboot, the virus
overwrites the autoexec.bat file to delete the virus from the
startup directory. Kak then replaces the Microsoft Outlook
message signature with infected file kak.htm. The virus also
displays an alert box after 6pm on the first day of the month
and shows down Windows.
This signature detects e-mail attachments named 'Y2k.exe'
sent via POP3. This may indicate the e-mail virus Zelu is
attempting to enter the system disguised as the utility
ChipTec Y2K Freeware Version. The executed file scans
available directories, corrupts writeable files, and inserts a
message at the beginning of infected files. Zelu may reset
the system, making the operating system unusable and
erasing all data.
This signature detects e-mail attachments named
'ZippedFiles.exe' sent via POP3. This may indicate the e-mail
virus Zipped_Files is attempting to enter the system. The
executed.ZIP file installs the program explore.exe, which
edits the host and visible networked WIN.INI files to run
explore.exe on startup. The virus also searches all local and
visible networked drives for common file types (.ASN, .C,
.CPP, .DOC, .H, .XLS, .PPT) and reduces them to zero bytes.
This signature detects the Q through T variants of the Bagle
SMTP virus. Bagle sends e-mails containing an attachment
with a malicious payload. Viewing the e-mail message loads
an external link using HTTP; this link is actually an executable
program that infects the target. The virus then sends a copy
of itself to e-mail addresses found on the target's hard drive
using the target's e-mail address as the return address.
This signature detects e-mail attachments that contain two
file extensions. Attackers or viruses may send e-mail
attachments that use two file extensions to disguise the
actual file name and trick users into opening a malicious
attachment.
high sos5.1.0
medium sos5.1.0
critical sos5.1.0
critical sos5.1.0
high sos5.1.0
high sos5.1.0
Copyright © 2010, Juniper Networks, Inc.