Re: [Declude.Virus] JS/Zerolin
Like you, AVG and F-Prot don't catch them here but Virusscan does. Declude Virus does toss out a warning: Warning: file#=224 (0224.js ... ) Also seems to be a dictionary type attack given the recipients names. 09/05/2004 11:08:01 Q39d809bf029cc654 MIME file: [text/html][quoted-printable; Length=2086 Checksum=144666] 09/05/2004 11:08:01 Q39d809bf029cc654 Found potentially dangerous stuff in D:\IMail\spool\D39d809bf029cc654.vir\0.! 09/05/2004 11:08:02 Q39d809bf029cc654 Warning: file#=224 (0224.js ... ) 09/05/2004 11:08:02 Q39d809bf029cc654 Scanner 3: Virus= the JS/Zerolin trojan !!! Attachment=[Unknown: Err] [26] O 09/05/2004 11:08:02 Q39d809bf029cc654 File(s) are INFECTED [ the JS/Zerolin trojan !!!: 13] 09/05/2004 11:08:02 Q39d809bf029cc654 Scanned: CONTAINS A VIRUS [MIME: 2 2344] 09/05/2004 11:08:02 Q39d809bf029cc654 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 203.200.31.7] 09/05/2004 11:08:02 Q39d809bf029cc654 Subject: submissions end september 28th - Sun, 05 Sep 2004 14:05:50 -0200 Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 09/07/04 04:26PM Hi, I am seeing my McAfee scanner catch these JS/Zerolin viruses but FProt (3.15a) does not see them at all. Does anyone know why that might be? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JS/Zerolin
Scott, What is interesting is that I do not get the warning message that you get! What version of F-Prot are you using? Declude? I am using 1.79i8 09/07/2004 01:55:09 Q4d2710a401bcc5b2 MIME file: [text/html][quoted printable; Length=1452 Checksum=129510] 09/07/2004 01:55:10 Q4d2710a401bcc5b2 Scanner 2: Virus= the JS/Zerolin trojan !!! Attachment= [2] O 09/07/2004 01:55:10 Q4d2710a401bcc5b2 File(s) are INFECTED [ the JS/Zerolin trojan !!!: 13] 09/07/2004 01:55:10 Q4d2710a401bcc5b2 Scanned: CONTAINS A VIRUS [MIME: 2 1718] 09/07/2004 01:55:10 Q4d2710a401bcc5b2 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 218.13.55.73] 09/07/2004 01:55:10 Q4d2710a401bcc5b2 Subject: appointment reminder Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, September 07, 2004 5:35 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] JS/Zerolin Like you, AVG and F-Prot don't catch them here but Virusscan does. Declude Virus does toss out a warning: Warning: file#=224 (0224.js ... ) Also seems to be a dictionary type attack given the recipients names. 09/05/2004 11:08:01 Q39d809bf029cc654 MIME file: [text/html][quoted- printable; Length=2086 Checksum=144666] 09/05/2004 11:08:01 Q39d809bf029cc654 Found potentially dangerous stuff in D:\IMail\spool\D39d809bf029cc654.vir\0.! 09/05/2004 11:08:02 Q39d809bf029cc654 Warning: file#=224 (0224.js ... ) 09/05/2004 11:08:02 Q39d809bf029cc654 Scanner 3: Virus= the JS/Zerolin trojan !!! Attachment=[Unknown: Err] [26] O 09/05/2004 11:08:02 Q39d809bf029cc654 File(s) are INFECTED [ the JS/Zerolin trojan !!!: 13] 09/05/2004 11:08:02 Q39d809bf029cc654 Scanned: CONTAINS A VIRUS [MIME: 2 2344] 09/05/2004 11:08:02 Q39d809bf029cc654 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [outgoing from 203.200.31.7] 09/05/2004 11:08:02 Q39d809bf029cc654 Subject: submissions end september 28th - Sun, 05 Sep 2004 14:05:50 -0200 Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 09/07/04 04:26PM Hi, I am seeing my McAfee scanner catch these JS/Zerolin viruses but FProt (3.15a) does not see them at all. Does anyone know why that might be? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] JS/Zerolin
In the last hour I've seen some JS/Zerolin Virus warnings are comming back as NDR's Mailfrom looks random or at least forged. That is strange -- that appears to be a trojan horse, and therefore should not spread. We'll look into it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] JS/Zerolin
Brand NEW version of a year old virus. McAfee just release BRIEF info on it, dated today. http://vil.nai.com/vil/content/v_127464.htm 3 here also. All three different IPs. The VBS version is a year old trojan, it would have been very unusual for that to waking up. An odd file name. All my "froms" are random names also, so forging is likely. Greg Little Declude Virus Ver. 1.79 caught the the JS/Zerolin trojan !!! virus in [Unknown: Err] from [EMAIL PROTECTED] to: [EMAIL PROTECTED], [EMAIL PROTECTED]. from [EMAIL PROTECTED] to: from [EMAIL PROTECTED] to: Markus Gufler wrote: In the last hour I've seen some JS/Zerolin Virus warnings are comming back as NDR's Mailfrom looks random or at least forged. Markus --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] JS/Zerolin
Is the virus in an attachment, or part of an HTML body? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Little Sent: Wednesday, August 11, 2004 3:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] JS/Zerolin Brand NEW version of a year old virus. McAfee just release BRIEF info on it, dated today. http://vil.nai.com/vil/content/v_127464.htm 3 here also. All three different IPs. The VBS version is a year old trojan, it would have been very unusual for that to waking up. An odd file name. All my froms are random names also, so forging is likely. Greg Little Declude Virus Ver. 1.79 caught the the JS/Zerolin trojan !!! virus in [Unknown: Err]from [EMAIL PROTECTED] to: [EMAIL PROTECTED], [EMAIL PROTECTED]. from [EMAIL PROTECTED] to: from [EMAIL PROTECTED] to: Markus Gufler wrote: In the last hour I've seen some JS/Zerolin Virus warnings are comming back as NDR's Mailfrom looks random or at least forged. Markus --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
