On Fri, 13 Aug 2004, Nicolas Gregoire wrote: Nicholas, Thanks for the insight. I've received several replies telling me to look at McAfee (yadda-yadda) and other sites. I am well aware of the Zerolin VBS script as I researched it before posting. You've provided what insight I was looking for on the java script side. Mark, I think this is what we're looking for. Also, keep us updated as to what else you see as this could very well be a new version and they are indeed 'testing'. Thanks again, -th <snip> > Hi, > > I've seen theses emails since last Friday, and my gateway has since > received around 200 of them. KAV and ClamAV detect them as > "TrojanDropper.VBS.Zerolin" > > It appears that a small Jscript.Encoded code is hidden at the botton of > a false (true ?) spam. After several redirections, un ss.exe file is > downloaded. This file is detected as following : > > KAV : Trojan.Win32.Genme.c > Trend : not detected > ClamAV : Trojan.Xebiz.A > F-Prot : W32/Xebiz.A > NAI : not detected > > Regards, > -- > Nicolas Gregoire ----- Consultant en S�curit� des Syst�mes d'Information ================================================= Travis www.cyberabuse.org/crimewatch Email: Bonk@xxxxxxxxxxxxxxx | Bonk@xxxxxxxxxxxxxx ================================================= /"\ \ / X ASCII Ribbon Campaign / \ Against HTML Email
