|
Bugtraq
mailing list archives
Re: JS/Zerolin
From: K-OTiK Security <Special-Alerts () k-otik com>
Date: 13 Aug 2004 16:25:49 -0000
In-Reply-To: <1092386306.752.36.camel () bobby exaprobe com>
Nicolas Gregoire wrote :
I've seen theses emails since last Friday, and my gateway has since
received around 200 of them. KAV and ClamAV detect them as
"TrojanDropper.VBS.Zerolin"
It appears that a small Jscript.Encoded code is hidden at the botton of
a false (true ?) spam. After several redirections, un ss.exe file is
downloaded. This file is detected as following :
KAV : Trojan.Win32.Genme.c
Trend : not detected
ClamAV : Trojan.Xebiz.A
F-Prot : W32/Xebiz.A
NAI : not detected
From the Symantec website :
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xebiz.html
A large scale spamming of messages contained a link to a Web page
hosting the backdoor. Following the link downloads the file Links.HTA,
which in turn downloads and executes the Trojan as ss.exe
note that, only unpatched systems (running Internet Explorer) are vulnerable to this trojan downloader [Object Data tag
vulnerability (MS03-040), MHTML URL vulnerability (MS04-013) and the ADODB.Stream Vuln. (MS04-025)]
Regards.
Chaouki Bekrar - Security Consultant
Co-Founder of K-OTik Security Survey 24/7
http://www.k-otik.com
 By Date 
By Thread
Current thread:
- JS/Zerolin T.H. Haymore (Aug 12)
- <Possible follow-ups>
- Re: JS/Zerolin K-OTiK Security (Aug 13)
- RE: JS/Zerolin Thor Larholm (Aug 14)
| 
Intro
