Re: JS/Zerolin
In-Reply-To: <1092386306.752.36.camel@xxxxxxxxxxxxxxxxxx>
>Nicolas Gregoire wrote :
>I've seen theses emails since last Friday, and my gateway has since
>received around 200 of them. KAV and ClamAV detect them as
>"TrojanDropper.VBS.Zerolin"
>
>It appears that a small Jscript.Encoded code is hidden at the botton of
>a false (true ?) spam. After several redirections, un ss.exe file is
>downloaded. This file is detected as following :
>
>KAV : Trojan.Win32.Genme.c
>Trend : not detected
>ClamAV : Trojan.Xebiz.A
>F-Prot : W32/Xebiz.A
>NAI : not detected
>
>>From the Symantec website :
>
>http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xebiz.html
>A large scale spamming of messages contained a link to a Web page
>hosting the backdoor. Following the link downloads the file Links.HTA,
>which in turn downloads and executes the Trojan as ss.exe
>
note that, only unpatched systems (running Internet Explorer) are vulnerable to
this trojan downloader [Object Data tag vulnerability (MS03-040), MHTML URL
vulnerability (MS04-013) and the ADODB.Stream Vuln. (MS04-025)]
Regards.
Chaouki Bekrar - Security Consultant
Co-Founder of K-OTik Security Survey 24/7
http://www.k-otik.com