Re: JS/Zerolin

[K-OTiK Security <Special-Alerts () k-otik com>]

In-Reply-To: <1092386306.752.36.camel () bobby exaprobe com>

> Nicolas Gregoire wrote :
> I've seen theses emails since last Friday, and my gateway has since
> received around 200 of them. KAV and ClamAV detect them as 
> "TrojanDropper.VBS.Zerolin"
>
> It appears that a small Jscript.Encoded code is hidden at the botton of
> a false (true ?) spam. After several redirections, un ss.exe file is
> downloaded. This file is detected as following :
>
> KAV : Trojan.Win32.Genme.c
> Trend : not detected
> ClamAV : Trojan.Xebiz.A
> F-Prot : W32/Xebiz.A
> NAI : not detected
>
> > From the Symantec website :
>
> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xebiz.html
> A large scale spamming of messages contained a link to a Web page
> hosting the backdoor. Following the link downloads the file Links.HTA,
> which in turn downloads and executes the Trojan as ss.exe

note that, only unpatched systems (running Internet Explorer) are vulnerable to this trojan downloader [Object Data tag 
vulnerability (MS03-040), MHTML URL vulnerability (MS04-013) and the ADODB.Stream Vuln. (MS04-025)]

Regards.
Chaouki Bekrar - Security Consultant
Co-Founder of K-OTik Security Survey 24/7
http://www.k-otik.com