Re: JS/Zerolin

["T.H. Haymore" <bonk () webchat chatsystems com>]

On Fri, 13 Aug 2004, Nicolas Gregoire wrote:


Nicholas,

 Thanks for the insight.  I've received several replies telling me to look
at McAfee (yadda-yadda) and other sites.  I am well aware of the Zerolin
VBS script as I researched it before posting.  You've provided what
insight I was looking for on the java script side.

Mark, I think this is what we're looking for.  Also, keep us updated as to
what else you see as this could very well be a new version and they are
indeed 'testing'.



Thanks again,


-th

<snip>


> Hi,
>
> I've seen theses emails since last Friday, and my gateway has since
> received around 200 of them. KAV and ClamAV detect them as
> "TrojanDropper.VBS.Zerolin"
>
> It appears that a small Jscript.Encoded code is hidden at the botton of
> a false (true ?) spam. After several redirections, un ss.exe file is
> downloaded. This file is detected as following :
>
> KAV : Trojan.Win32.Genme.c
> Trend : not detected
> ClamAV : Trojan.Xebiz.A
> F-Prot : W32/Xebiz.A
> NAI : not detected
>
> Regards,
> --
> Nicolas Gregoire ----- Consultant en S?curit? des Syst?mes d'Information


=================================================
Travis
www.cyberabuse.org/crimewatch
Email: Bonk () chatsystems com | Bonk () cyberabuse org
=================================================
/"\
\ /
 X   ASCII Ribbon Campaign
/ \  Against HTML Email