Home page logo

bugtraq logo Bugtraq mailing list archives

Re: JS/Zerolin
From: "T.H. Haymore" <bonk () webchat chatsystems com>
Date: Fri, 13 Aug 2004 09:50:37 -0500 (CDT)

On Fri, 13 Aug 2004, Nicolas Gregoire wrote:


 Thanks for the insight.  I've received several replies telling me to look
at McAfee (yadda-yadda) and other sites.  I am well aware of the Zerolin
VBS script as I researched it before posting.  You've provided what
insight I was looking for on the java script side.

Mark, I think this is what we're looking for.  Also, keep us updated as to
what else you see as this could very well be a new version and they are
indeed 'testing'.

Thanks again,




I've seen theses emails since last Friday, and my gateway has since
received around 200 of them. KAV and ClamAV detect them as

It appears that a small Jscript.Encoded code is hidden at the botton of
a false (true ?) spam. After several redirections, un ss.exe file is
downloaded. This file is detected as following :

KAV : Trojan.Win32.Genme.c
Trend : not detected
ClamAV : Trojan.Xebiz.A
F-Prot : W32/Xebiz.A
NAI : not detected

Nicolas Gregoire ----- Consultant en S?curit? des Syst?mes d'Information

Email: Bonk () chatsystems com | Bonk () cyberabuse org
\ /
 X   ASCII Ribbon Campaign
/ \  Against HTML Email

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]