Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: JS/Zerolin
From: "T.H. Haymore" <bonk () webchat chatsystems com>
Date: Fri, 13 Aug 2004 09:50:37 -0500 (CDT)

On Fri, 13 Aug 2004, Nicolas Gregoire wrote:


Nicholas,

 Thanks for the insight.  I've received several replies telling me to look
at McAfee (yadda-yadda) and other sites.  I am well aware of the Zerolin
VBS script as I researched it before posting.  You've provided what
insight I was looking for on the java script side.

Mark, I think this is what we're looking for.  Also, keep us updated as to
what else you see as this could very well be a new version and they are
indeed 'testing'.



Thanks again,


-th

<snip>


Hi,

I've seen theses emails since last Friday, and my gateway has since
received around 200 of them. KAV and ClamAV detect them as
"TrojanDropper.VBS.Zerolin"

It appears that a small Jscript.Encoded code is hidden at the botton of
a false (true ?) spam. After several redirections, un ss.exe file is
downloaded. This file is detected as following :

KAV : Trojan.Win32.Genme.c
Trend : not detected
ClamAV : Trojan.Xebiz.A
F-Prot : W32/Xebiz.A
NAI : not detected

Regards,
--
Nicolas Gregoire ----- Consultant en S?curit? des Syst?mes d'Information


=================================================
Travis
www.cyberabuse.org/crimewatch
Email: Bonk () chatsystems com | Bonk () cyberabuse org
=================================================
/"\
\ /
 X   ASCII Ribbon Campaign
/ \  Against HTML Email


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]