Re: JS/Zerolin
On Fri, 13 Aug 2004, Nicolas Gregoire wrote:
Nicholas,
Thanks for the insight. I've received several replies telling me to look
at McAfee (yadda-yadda) and other sites. I am well aware of the Zerolin
VBS script as I researched it before posting. You've provided what
insight I was looking for on the java script side.
Mark, I think this is what we're looking for. Also, keep us updated as to
what else you see as this could very well be a new version and they are
indeed 'testing'.
Thanks again,
-th
<snip>
> Hi,
>
> I've seen theses emails since last Friday, and my gateway has since
> received around 200 of them. KAV and ClamAV detect them as
> "TrojanDropper.VBS.Zerolin"
>
> It appears that a small Jscript.Encoded code is hidden at the botton of
> a false (true ?) spam. After several redirections, un ss.exe file is
> downloaded. This file is detected as following :
>
> KAV : Trojan.Win32.Genme.c
> Trend : not detected
> ClamAV : Trojan.Xebiz.A
> F-Prot : W32/Xebiz.A
> NAI : not detected
>
> Regards,
> --
> Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
=================================================
Travis
www.cyberabuse.org/crimewatch
Email: Bonk@xxxxxxxxxxxxxxx | Bonk@xxxxxxxxxxxxxx
=================================================
/"\
\ /
X ASCII Ribbon Campaign
/ \ Against HTML Email