[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JS/Zerolin

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: JS/Zerolin
From: K-OTiK Security <Special-Alerts@xxxxxxxxxx>
Date: 13 Aug 2004 16:25:49 -0000

In-Reply-To: <1092386306.752.36.camel@xxxxxxxxxxxxxxxxxx>

>Nicolas Gregoire wrote :
>I've seen theses emails since last Friday, and my gateway has since
>received around 200 of them. KAV and ClamAV detect them as 
>"TrojanDropper.VBS.Zerolin"
>
>It appears that a small Jscript.Encoded code is hidden at the botton of
>a false (true ?) spam. After several redirections, un ss.exe file is
>downloaded. This file is detected as following :
>
>KAV : Trojan.Win32.Genme.c
>Trend : not detected
>ClamAV : Trojan.Xebiz.A
>F-Prot : W32/Xebiz.A
>NAI : not detected
>
>>From the Symantec website :
>
>http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xebiz.html
>A large scale spamming of messages contained a link to a Web page
>hosting the backdoor. Following the link downloads the file Links.HTA,
>which in turn downloads and executes the Trojan as ss.exe
>

note that, only unpatched systems (running Internet Explorer) are vulnerable to 
this trojan downloader [Object Data tag vulnerability (MS03-040), MHTML URL 
vulnerability (MS04-013) and the ADODB.Stream Vuln. (MS04-025)]

Regards.
Chaouki Bekrar - Security Consultant
Co-Founder of K-OTik Security Survey 24/7
http://www.k-otik.com

Prev by Date: Corsaire Security Advisory - Clearswift MAILsweeper multiple encoding/compression issues
Next by Date: Re: NETGEAR DG834G SPECIAL FEATURES
Previous by thread: Re: JS/Zerolin
Next by thread: RE: JS/Zerolin
Index(es):
- Date
- Thread