JS_NOCLOSE.E Possible mutation??

[VicE$DoS$]

Good Afternoon (GMT +1) Fellow AO'ers,

We all know about [gloworange]JS_NOCLOSE.E [/gloworange] its a supposedly harmless 'window opener' virus. That isnt really a virus!?!

Weirdness going on here, our suite of Trend products (Viruswall, OfficeScan, ScanMail and ServerProtect) picked up NOCLOSE about a week ago. Trend Couldnt clean it so it moved it off the live system and quarantined it. Fair enough - I could've lived with that!

[gloworange]BUT[/gloworange]

Today at 12:20 OfficeScan (the desktop av scanner) picked up JS_NOCLOSE again.
Weird because I havent browsed anything at all today and doubly weird because I havent recieved any inbound emails today. The preview panes in outlook I have disabled on our network (because of the risks). So its as if JSNOCLOSE was waiting, hiding and got triggered by the time or date or something. And also weird because there are no traces of the file JS_NOCLOSE.E or the original attachment it came in pup(1).htm anywhere on the live system.

Whats going on? Anyone had similar experiences? Anyone got any pointers??

Ps. What tool can I use to see what operation JS_NOCLOSE was trying to perform??

Thanks

VicE$DoS$

[SirDice]

Are you sure it's not picking it up from the quarantine and/or the browser's cache?

Ps. What tool can I use to see what operation JS_NOCLOSE was trying to perform??

It's javascript so you should be able to read it with notepad.

You probably already know this but:
http://vil.nai.com/vil/content/v_99279.htm