In-Reply-To: <1092386306.752.36.camel@xxxxxxxxxxxxxxxxxx> >Nicolas Gregoire wrote : >I've seen theses emails since last Friday, and my gateway has since >received around 200 of them. KAV and ClamAV detect them as >"TrojanDropper.VBS.Zerolin" > >It appears that a small Jscript.Encoded code is hidden at the botton of >a false (true ?) spam. After several redirections, un ss.exe file is >downloaded. This file is detected as following : > >KAV : Trojan.Win32.Genme.c >Trend : not detected >ClamAV : Trojan.Xebiz.A >F-Prot : W32/Xebiz.A >NAI : not detected > >>From the Symantec website : > >http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xebiz.html >A large scale spamming of messages contained a link to a Web page >hosting the backdoor. Following the link downloads the file Links.HTA, >which in turn downloads and executes the Trojan as ss.exe > note that, only unpatched systems (running Internet Explorer) are vulnerable to this trojan downloader [Object Data tag vulnerability (MS03-040), MHTML URL vulnerability (MS04-013) and the ADODB.Stream Vuln. (MS04-025)] Regards. Chaouki Bekrar - Security Consultant Co-Founder of K-OTik Security Survey 24/7 http://www.k-otik.com
