[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JS/Zerolin

To: Nicolas Gregoire <ngregoire@xxxxxxxxxxxx>
Subject: Re: JS/Zerolin
From: "T.H. Haymore" <bonk@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Aug 2004 09:50:37 -0500 (CDT)

On Fri, 13 Aug 2004, Nicolas Gregoire wrote:

Nicholas,

 Thanks for the insight.  I've received several replies telling me to look
at McAfee (yadda-yadda) and other sites.  I am well aware of the Zerolin
VBS script as I researched it before posting.  You've provided what
insight I was looking for on the java script side.

Mark, I think this is what we're looking for.  Also, keep us updated as to
what else you see as this could very well be a new version and they are
indeed 'testing'.

Thanks again,

-th

<snip>

> Hi,
>
> I've seen theses emails since last Friday, and my gateway has since
> received around 200 of them. KAV and ClamAV detect them as
> "TrojanDropper.VBS.Zerolin"
>
> It appears that a small Jscript.Encoded code is hidden at the botton of
> a false (true ?) spam. After several redirections, un ss.exe file is
> downloaded. This file is detected as following :
>
> KAV : Trojan.Win32.Genme.c
> Trend : not detected
> ClamAV : Trojan.Xebiz.A
> F-Prot : W32/Xebiz.A
> NAI : not detected
>
> Regards,
> --
> Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information

=================================================
Travis
www.cyberabuse.org/crimewatch
Email: Bonk@xxxxxxxxxxxxxxx | Bonk@xxxxxxxxxxxxxx
=================================================
/"\
\ /
 X   ASCII Ribbon Campaign
/ \  Against HTML Email

References:
- Re: JS/Zerolin
  - From: Nicolas Gregoire

Prev by Date: RE: NETGEAR DG834G SPECIAL FEATURES
Next by Date: Re: JS/Zerolin
Previous by thread: Re: JS/Zerolin
Next by thread: Re: JS/Zerolin
Index(es):
- Date
- Thread