| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Aug 2004 10:38:26 +0200 From: Nicolas Gregoire <ngregoire@...probe.com> To: "T.H. Haymore" <bonk@...chat.chatsystems.com> Cc: bugtraq@...urityfocus.com Subject: Re: JS/Zerolin Le jeu 12/08/2004 à 17:37, T.H. Haymore a écrit : > There are incoming reports of a JS/Zerolin (java script virus). Anyone > else seeing this ? (I have no further information yet). Hi, I've seen theses emails since last Friday, and my gateway has since received around 200 of them. KAV and ClamAV detect them as "TrojanDropper.VBS.Zerolin" It appears that a small Jscript.Encoded code is hidden at the botton of a false (true ?) spam. After several redirections, un ss.exe file is downloaded. This file is detected as following : KAV : Trojan.Win32.Genme.c Trend : not detected ClamAV : Trojan.Xebiz.A F-Prot : W32/Xebiz.A NAI : not detected >From the Symantec website : http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xebiz.html A large scale spamming of messages contained a link to a Web page hosting the backdoor. Following the link downloads the file Links.HTA, which in turn downloads and executes the Trojan as ss.exe Regards, -- Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information ngregoire@...probe.com ------[ ExaProbe ]------ http://www.exaprobe.com/ PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
Powered by blists - more mailing lists