[36120] in bugtraq
Re: JS/Zerolin
daemon@ATHENA.MIT.EDU (T.H. Haymore)
Fri Aug 13 17:23:19 2004
Date: Fri, 13 Aug 2004 09:50:37 -0500 (CDT)
From: "T.H. Haymore" <bonk@webchat.chatsystems.com>
To: Nicolas Gregoire <ngregoire@exaprobe.com>
Cc: <bugtraq@securityfocus.com>, <Mark.Amos@owenscorning.com>
In-Reply-To: <1092386306.752.36.camel@bobby.exaprobe.com>
Message-ID: <Pine.LNX.4.33.0408130946060.1207-100000@webchat.chatsystems.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: 8bit
On Fri, 13 Aug 2004, Nicolas Gregoire wrote:
Nicholas,
Thanks for the insight. I've received several replies telling me to look
at McAfee (yadda-yadda) and other sites. I am well aware of the Zerolin
VBS script as I researched it before posting. You've provided what
insight I was looking for on the java script side.
Mark, I think this is what we're looking for. Also, keep us updated as to
what else you see as this could very well be a new version and they are
indeed 'testing'.
Thanks again,
-th
<snip>
> Hi,
>
> I've seen theses emails since last Friday, and my gateway has since
> received around 200 of them. KAV and ClamAV detect them as
> "TrojanDropper.VBS.Zerolin"
>
> It appears that a small Jscript.Encoded code is hidden at the botton of
> a false (true ?) spam. After several redirections, un ss.exe file is
> downloaded. This file is detected as following :
>
> KAV : Trojan.Win32.Genme.c
> Trend : not detected
> ClamAV : Trojan.Xebiz.A
> F-Prot : W32/Xebiz.A
> NAI : not detected
>
> Regards,
> --
> Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
=================================================
Travis
www.cyberabuse.org/crimewatch
Email: Bonk@chatsystems.com | Bonk@cyberabuse.org
=================================================
/"\
\ /
X ASCII Ribbon Campaign
/ \ Against HTML Email
