| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040813162549.2134.qmail@www.securityfocus.com> Date: 13 Aug 2004 16:25:49 -0000 From: K-OTiK Security <Special-Alerts@...tik.com> To: bugtraq@...urityfocus.com Subject: Re: JS/Zerolin In-Reply-To: <1092386306.752.36.camel@...by.exaprobe.com> >Nicolas Gregoire wrote : >I've seen theses emails since last Friday, and my gateway has since >received around 200 of them. KAV and ClamAV detect them as >"TrojanDropper.VBS.Zerolin" > >It appears that a small Jscript.Encoded code is hidden at the botton of >a false (true ?) spam. After several redirections, un ss.exe file is >downloaded. This file is detected as following : > >KAV : Trojan.Win32.Genme.c >Trend : not detected >ClamAV : Trojan.Xebiz.A >F-Prot : W32/Xebiz.A >NAI : not detected > >>From the Symantec website : > >http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xebiz.html >A large scale spamming of messages contained a link to a Web page >hosting the backdoor. Following the link downloads the file Links.HTA, >which in turn downloads and executes the Trojan as ss.exe > note that, only unpatched systems (running Internet Explorer) are vulnerable to this trojan downloader [Object Data tag vulnerability (MS03-040), MHTML URL vulnerability (MS04-013) and the ADODB.Stream Vuln. (MS04-025)] Regards. Chaouki Bekrar - Security Consultant Co-Founder of K-OTik Security Survey 24/7 http://www.k-otik.com
Powered by blists - more mailing lists