Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Is Gumblar or GENO Malware Worm Detected by AV on ScreenOS?

0

0

Article ID: KB14343 KB Last Updated: 09 Jun 2009Version: 1.0
Summary:
Gumblar is a web based worm, also known as GENO, and it is rapidly spreading through the Internet.  The Sophos virus signature that detects this is called JS.Redir-R and the Trend Micro virus signature that detects it is called JS_AGENT.AOIP.  Is Gumblar detected by the AV feature on ScreenOS?
Symptoms:

Solution:
As of 6/3/2009, the AV Kaspersky engine on ScreenOS detects the presense of the Gumblar or GENO Worm.  The virus signature is called Trojan-Downloader.JS.Gumblar.  Other vendors have different names for it.  For Sophos, it is JS.Redir-R, and for Trend Micro, it is JS_AGENT.AOIP

To verify if you have coverage of this, check the version of your AV signature version by issuing the command "get av scan".  Look for the AV signature version and ensure that the version is later than 06/03/2009.

Example:
rng-> get av scan
<AV scan engine info>
    AV Key Expire Date: 03/10/2010 00:00:00
    Update Server: http://update.juniper-updates.net/AV/SSG5_SSG20/
           interval: 60 minutes
           auto update status: next update in 45 minutes
           last result: new database loaded
    pattern update proxy status: OFF
    Send Admin E-mail after pattern updated: NO
    AV signature version: 06/05/2009 16:56 GMT, virus records: 148242     
    Scan Engine Info: last action result: No error(0x00000000), memory left 51740kB
    Scan engine default file extension list: 
    386;ACE;ARJ;ASP;BAT;BIN;BZ2;CAB;CHM;CLA;CMD;COM;CPL;DLL;DOC;DOT;DPL;DRV;DWG;ELF;EMF;
    EML;EXE;FON;FPM;GEA;GZ;HA;HLP;HTA;HTM;HTML;HTT;HXS;ICE;INI;ITSF;JAR;JPEG;JPG;JS;JSE;
    LHA;LNK;LZH;MBX;MD?;MIME;MSG;MSI;MSO;NWS;OCX;OTM;OV?;PDF;PHP;PHT;PIF;PK;PL;PLG;PP?;
    PRG;PRJ;RAR;REG;RTF;SCR;SH;SHS;SWF;SYS;TAR;TGZ;THE;TSP;VBE;VBS;VXD;WSF;WSH;XL?;XML;ZIP;
    max content size: 10000(k) (pass if exceeds)
    max-msgs: 256 (drop if exceeds)
    decompress layer: (pass if exceeds)
    password file: (pass if occurs)
    corrupt file: (pass if occurs)
    out of resource: (drop if occurs)
    scan engine is not ready: (drop if occurs)
    timeout: (drop if occurs)

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search