Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 997

WORM:CODERED-2:CMD-BACKDOOR
WORM:CODERED-2:INFECT-ATTEMPT
WORM:CODERED-2:ROOT-BACKDOOR
WORM:EMAIL:BAGLE-INFECTION
WORM:EMAIL:W32.SOBIG.E
WORM:MIMAIL:MIMAIL.A
WORM:MIMAIL:MIMAIL.L
WORM:MOFEI:MOFEI-B-PROPAGATION
WORM:NACHI:B-C-D-INFECT-ATTEMPT
WORM:NACHI:D-WEBDAV-ATK
Copyright © 2010, Juniper Networks, Inc.
This signature detects attempts to access a backdoor web
script installed by the Code Red II worm. The Code Red II
worm, like the original Code Red worm, allows attackers to
remotely access the server.
This signature detects attempts by the CodeRedII worm to
infect a host. The CodeRedII worm, also known as
CodeRed.F, exploits the same vulnerability as the original
CodeRed worm.
This signature detects attempts to access a backdoor web
script installed by the Code Red II worm. The Code Red II
worm, like the original Code Red worm, allows attackers to
remotely access the server.
This signature detects the Bagle worm activity on a host.
After infecting a host, the Bagle worm attempts to contact
a Web server listening post. The Bagle worm, which affects
Microsoft Windows, copies itself to the system directory,
and edits the system registry. The worm uses an e-mail
attachment to propagate itself to other hosts, and has a
hard-coded expiration date (January 28). This signature
could be prone to false positives.
This signature detects e-mail attachments containing the
W32.Sobig.E worm sent via SMTP.
This signature detects the Mimail.A worm attachment in
SMTP traffic. After infecting a Windows-based host, Mimail
sends itself as an attachment to another target using its own
SMTP engine.
This signature detects the Mimail.L worm attachment in
SMTP traffic. After infecting a Windows-based host, Mimail
sends itself as an attachment to another target using its own
SMTP engine.
This signature detects the MoFei worm attempting to
propagate to another host. After infecting a host, the MoFei
worm propagates by depositing a copy of itself in a
vulnerable NetBIOS folder on another host. The MoFei worm
is known by several aliases, including W32.Mofei-B and
W32.Femot.D.
This signature detects infection attempts of the Windows
RPC Locator Service by the B, C or D variants of the Nachi
worm. This signature only triggers on a successful connect
to an accessible victim. Follow up is strongly suggested.
This signature detects WebDAV overflows, which can
indicate an infection attempt by the Nachi worm (D variant).
Nachi.D, a worm, typically attempts to infect the target host
by exploiting several vulnerabilities.
Appendix E: Log Entries
medium sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.1.0
high sos5.1.0
high sos5.1.0
high sos5.1.0
critical sos5.1.0
high sos5.0.0,
sos5.1.0
947