Posts

FakeAV Spam Continues (Apr 23, 2010)

/in /by

SonicWALL UTM Research team continued to monitor the FakeAV spam campaigns appearing with variety of themes. Below is the e-mail format and a sample e-mail for each of these spam themes that we saw during the week:

Campaign #1 – DHL Tracking Invoice

    Subject: DHL Tracking NR[8-digits].
    Attachment: DHL_invoice_Nr[5-digits].zip (contains DHL_invoice_Nr[5-digits].exe)

    Email Body:
    ————————
    Dear customer!

    Unfortunately we were not able to deliver postal package sent on
    the 22nd of March in time because the addressee’s address is wrong
    Please print out the invoice copy attached and collect the package
    at our department

    DHL Delivery Services.
    ————————

    The e-mail message looks like below:

    screenshot

Campaign #2 – DHL Delivery Services

    Subject: Please attention!
    Attachment: label.zip (contains label.exe)

    Email Body:
    ————————
    Dear customer!

    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.

    You may pickup the parcel at our post office personaly.

    Please attention!
    The shipping label is attached to this email.
    Print this label to get this package at our post office.

    Please do not reply to this e-mail, it is an unmonitored mailbox!

    Thank you,
    DHL Delivery Services.
    ————————

    The e-mail message looks like below:

    screenshot

Campaign #3- Myspace Password

    Subject: Myspace Password Reset Confirmation! Your Support
    Attachment: password.zip (contains password.exe)

    Email Body:
    ————————
    Because of the measures taken to provide safety to our clients,
    your password has been changed. You can find your new password
    in attached document

    Thanks,
    The Myspace Team
    ————————

    The e-mail message looks like below:

    screenshot

Campaign #4 – Account Information

    Subject: {Mail Domain} account notification
    Attachment: setup.zip (contains setup.exe)

    Email Body:
    ————————
    Dear Customer,

    This e-mail was send by {mail domain} to notify you that we have
    temporanly prevented access to your account

    We have reasons to beleive that your account may have been
    accessed by someone else. Please run attached file and Follow
    instructions

    (C) {mail domain}
    ————————

    The e-mail message looks like below:

    screenshot

Campaign #5 – Love Mail

    Subject:I love… our love.
    Attachment: open.zip (contains open.exe)

    Email Body 1:
    ————————
    I think… our relationship is beautiful
    ————————

    Email Body 2:
    ————————
    Your love has made me… wealthy beyond my dreams
    ————————
    The e-mail message looks like below:

    screenshot
    screenshot

SonicWALL Gateway AntiVirus provided protection against these spammed FakeAV variants via following signatures:

  • GAV: Bredolab.DI#email (Trojan) – 2,395,432 Hits
  • GAV: FakeAlert.GEN_6 (Trojan) – 581,491 Hits
  • GAV: Bredolab.MP#email_2 – 344,011 Hits
  • GAV: FakeAV.KO (Trojan) – 1,443 Hits
  • GAV: Bredolab.CA (Trojan) – 4,964 Hits
  • GAV: FakeRean_5 (Trojan) – 2,343 Hits

screenshot

screenshot

screenshot

screenshot

MS SMB Memory Corruption Vulnerability (April 22, 2010)

/in /by

Microsoft Windows is one of the most popular operating system used as both servers and clients. Windows is compatible to various hardware and software, and it also embeds a lot of applications and modules such as file editing, picture drawing, resources management etc.

Windows’s native networking framework is one of the embedded modules. It uses Server Message Block (SMB) protocol. SMB provides file sharing, networking printing and remote procedure calls and other functionalities.

An SMB message is composed of a header and message-specific data. The following describes an SMB message structure:

Offset Size Field ------------------------------------------------------------------------ 0x0000 BYTE[4] Contains 0xFF,'SMB' 0x0004 BYTE Command Type (SMB_COM_TRANS = 0x25) 0x0005 DWORD Error Class 0x0009 BYTE Flags x... .... (Request if x=0, Response if x=1) 0x000A WORD Flags2 0x000C WORD PID High 0x000E DWORD[2] Signature 0x0016 WORD Unused 0x0018 WORD Tree ID 0x001A WORD Process ID 0x001C WORD User ID 0x001E WORD Multiplex ID 0x0020 var SMB Message Data (format depends on the Command Type)

The SMB common header is immediately followed by command type-specific data. There are several SMB request/response types used in the SMB protocol. One such request/response type is SMB_COM_TRANSACTION (Command Type = 0x25), also known as TRANS. This command is used as the transport for the Transaction Subprotocol Commands which operate on mailslots and named pipes.

A memory corruption vulnerability exists in the SMB client implementation on Microsoft Windows. The vulnerability is due to a design error in the handling of the specially crafted SMB_COM_TRANSACTION responses. A successful exploitation of this vulnerability would allow the attacker to inject and execute arbitrary code on the target system.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect an attack attempts.

  • 5141 MS SMB SMB_COM_TRANSACTON BO PoC (MS10-020)

The vulnerability is referred by the vendor as MS10-020, and referred by CVE as CVE-2010-0476.

MS Media Player Memory Corruption (April 16, 2010)

/in /by

Windows Media Player (WMP) is a digital media player and media library application developed by Microsoft. The player is capable of playing audio, video, viewing images among other media related functions. Windows Media Player can be instantiated by web pages through a scriptable ActiveX control. The “WMPlayer.OCX” control is supplied by the wmp.dll library. The control can be instantiated by its name or the corresponding CLSID: 6BF52A52-394A-11D3-B153-00C04F79FAA6.

The player is capable of playing media files encoded with numerous encoding schemes. This is facilitated by pluggable codecs. A codec is a computer program capable of encoding and decoding a digital data stream. When a media file is opened by the application, Windows Media Player will attempt to decode it with an installed codec. If the required codec is already installed on the host then it is used to process the file. In cases where the file is encoded with a codec that is not available on the host, Windows Media Player will perform an asynchronous network request to Microsoft to attempt to locate the proper codec.

A vulnerability exists in Windows Media Player due to a use-after-free flaw when opening certain media files. When the player is processing a media file for which no codec is available on the host, an asynchronous connection to Microsoft is made. If, during that time, the ActiveX control is destroyed by use of scripting, the memory for the associated object is internally freed. In such a case, after the asynchronous call returns, the process will call a function on the freed object potentially resulting in diverting the flow of the process to injected malicious code.

An attacker could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Exploiting this vulnerability for code execution is not a trivial task. In cases of an unsuccessful attacks, the browser may terminate abnormally.

SonicWALL has released an IPS signature to block and detect a known exploit targeting this vulnerability. The following signature has been released to address this issue:

  • 5111 – Windows Media Player Remote Code Execution PoC (MS10-027)

It should be noted that in addition to this signature, SonicWALL has numerous IPS signature subsets which detect and block commonly used shellcode, heap sprays and general exploitation attempts that target vulnerabilities of this type.

This vulnerability has been assigned CVE-2010-0268 by mitre.
The vendor has released an advisory addressing this issue.

Fake McAfee E-mail protection tool – Banker Trojan (Apr 15, 2010)

/in /by

SonicWALL UTM Research team discovered a new Banker Trojan spam theme involving fake McAfee E-mail Protection alerts. The e-mail for the instance we saw is in Portuguese and it warns the user about a computer virus infection.

The e-mail pretends to arrive from McAfee E-Mail Protection and informs the user about his computer being infected with a virus – Worm/Delf.JBH that is sending out malicious emails to all the contacts found on the computer. It further warns the user that the e-mail account will be permanently blocked if the virus is not removed and offers the user to download a fake cleanup tool from McAfee E-mail protection via a URL in the email. If the user clicks on the URL it leads to the download of the new Banker Trojan variant.

The e-mail message looks like:

screenshot

screenshot

screenshot

The downloaded fake McAfee E-mail protection cleanup tool looks like:

screenshot

If the user runs the malicious executable file, it performs the following activities:

  • Downloads and executes two malicious executables files which are also Information stealing Trojan variants:
    • www.te(REMOVED)di.com/union/u6.jpg => C:sshs.exe [Detected as GAV: Delf_150 (Trojan)]
    • www.te(REMOVED)di.com/union/u7.jpg => C:ksso.exe [Detected as GAV: Hupigon_804 (Trojan)]

    Both the files are compressed with PECompact v2 packer. The site hosting these files appears to be compromised as shown below:

    screenshot

  • The above executable files harvests e-mail addresses and logs other sensitive information on the victim machine and sends the stolen data via POST requests to a malicious domain.

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Banker.BXQ_3 (Trojan) signature.

Java Web Start Command-Line Injection (Apr 14, 2010)

/in /by

A command-line injection vulnerability exists in the Oracle’s (Sun’s) Java Web Start (aka JavaWS or javaws). JavaWS is a component of the Java 2 Runtime Environment (JRE). It facilitates deployment of applications (written with Java programming language) over network.

Web Start applications do not run inside the browser. Instead they run in the sandbox, which often has fewer restrictions. Information about a Web Start application is stored in a Java Network Launching Protocol (JNLP) file. When installing JRE, by default, JNLP files will be associated with JavaWS. Since Java 6 Update 10, Oracle has distributed NPAPI plug-ins and ActiveX controls Java Plugin and Java Deployment Toolkit to provide developers with a method of distributing their Java applications to end users.

The command-line injection vulnerability is due to insufficient input validation of JNLP network paths. When Java Plugin or Java Deployment Toolkit is used to launch a Web Start application, each assures that the provided URL path points to a valid network resource (a URL starts with “http:” or “https:” is sufficient) and opens the JavaWS command-line utility. If the string -J is specified within a URL, the NPAPI/ActiveX will incorrectly pass it as command-line parameter to the JavaWS utility. In other words, the URL with -J provides the ability to bypass restrictions and execute arbitrary Java code outside the confines of the Java security sandbox. By enticing the target user to open a crafted HTML page, an attacker could exploit the vulnerability. Successful exploitation will result in execution of arbitrary code within the security context of the logged-in user.

SonicWALL has released several IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 5026 Sun Java jnlp Command Injection Attempt 1
  • 5027 Sun Java jnlp Command Injection Attempt 2
  • 5031 Sun Java jnlp Command Injection Attempt 3
  • 5036 Sun Java jnlp Command Injection Attempt 4
  • 5086 Sun Java jnlp Command Injection Attempt 5
  • 5091 Sun Java jnlp Command Injection Attempt 6
  • 5093 Sun Java jnlp Command Injection Attempt 7

Bredolab DHL and Facebook spam continues (Apr 9, 2010)

/in /by

SonicWALL UTM Research team continued to monitor the Bredolab email spam campaigns with the theme related to popular social networking website Facebook and courier service DHL. These spam campaign related emails started appearing early morning today and were still being spammed at the time of writing this alert.

SonicWALL has already received more than 400,000 e-mail copies from these spam campaigns. The email messages in both these spam campaigns have a zip archived attachment which contain the new variant of Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – DHL Services

Subject:

  • DHL Express Services. You need to get a parcel NR.[4-digit numeric number]
  • DHL Office. Please get your parcel NR.[4-digit numeric number]
  • DHL services. Please get your parcel NR.[5-digit numeric number]
  • DHL International. Get your parcel NR.[4-digit numeric number]
  • DHL Customer Services. Please get your parcel NR.[4-digit numeric number]

Attachment: DHL_package_1737.zip (contains DHL_package_1737.exe)

Email Body:
————————
Hello!

The courier service was not able to deliver your parcel at your address.
Cause: Mistake in address.

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office..

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services
————————

The e-mail message looks like below:

screenshot

Campaign #2 – Facebook Password Reset spam

Subject:

  • Facebook Password Reset Confirmation NR.[4-digit numeric number]

Attachment: Facebook_password_1574.zip (contains Facebook_password_1574.exe)

Email Body:
————————
Hey [Facebook User]!

Because of the measures taken to provide safety to our clients, your password has been changed
You can find your new password in attached document.

Thanks,
The Facebook Team.
————————

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document file:

screenshot

Installation

    Drops DLL component files

Files Installed

  • All UsersApplication DataMicrosoftWindowsmspdb44.dll – [Bredolab.CL_2 (Trojan)]
  • system32lgou.rlo – [GAV: Oficla.FO_2 (Trojan)]

Registry Changes

    Added Registry

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: LoadAppInit_DLLs
    Data: dword:00000001

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: RequireSignedAppInit_DLLs
    Data: dword:00000000

    Modified Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Original Data: “Explorer.exe
    Modified Data: “Explorer.exe rundll32.exe lgou.rlo mrtiyyb”
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: AppInit_DLLs
    Original Data: “”
    Modified Data: “All UsersApplication DataMicrosoftWindowsmspdb44.dll”

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Bredolab.CL (Trojan), GAV: Bredolab.CL_2 (Trojan) and GAV: Oficla.FO_2 (Trojan)

screenshot

New Storm Variant (June 27, 2008)

/in /by

New spammed wave of Storm emails was discovered. The email arrives with the subject: Re: Delivery Protection. The body of the message contains a link pointing to hxxp://www.slowinscy.pl/xxx/index1.php

Details in the alert PDF format

Novell Netware FTP Server BO (Apr 9, 2010)

/in /by

The Novell Netware operating system provides file sharing and other services such as printing and email. Netware includes an FTP server which facilitates the transfer of files to and from Netware volumes. File transfers can be performed using a regular FTP client.

The initial connection to the FTP server forms the control stream on which FTP service commands are passed from the client on occasion from the server to the client. A separate stream is used for the transfer of data.

FTP service commands define the file transfer or the file system function requested by a connected user. Some examples of FTP commands are listed:

  • CWD – to change the working directory
  • MKD – to create a directory
  • RMD – to delete a directory
  • LIST – to transfer a list of files in the current directory
  • NLST – to transfer names of files with CRLF or NL characters

A buffer overflow vulnerability exists in the Novell Netware FTP service. The vulnerability is due to insufficient boundary checks when processing some FTP commands. The vulnerable code performs an internal memory copy of a user supplied string into a static size buffer without validating the length of the string. When an FTP user requests directory creation or removal with an overly long argument, the vulnerable code will copy the argument past the aforementioned buffer.

Exploitation of this vulnerability may result in process flow diversion of the vulnerable service. The service will continue to operate after an unsuccessful code injection attempt. This may give the attacker multiple chances to exploit the targeted host. Only authenticated users have the ability to attempt an attack as the affected commands are available post authentication only.

SonicWALL already has existing signatures addressing this type of flaw that will detect and block attacks targeting this vulnerability. The following signatures are available:

  • 34 – MKD Command BO Attempt
  • 239 – RMD Command BO Attempt

This vulnerability has been assigned CVE-2010-0625 by Mitre. The vendor has released an advisory with a patch addressing this issue.

Bredolab DHL and Facebook Spam Campaigns (Dec 21, 2009)

/in /by

SonicWALL UTM Research continues to observe the same social engineering tactic being used to spam new variants of Bredolab.

This new variant uses a similar DHL undelivered parcel email spam campaign that we have covered in SonicAlert – Multiple Spam Waves – Bredolab.X This new DHL undelivered parcel spam campaign which started since December 7, 2009 involves a fake e-mail message pretending to have come from DHL Delivery Services. The email informs the user that DHL was not able to deliver their parcel due to error in shipping address. It further instructs the user to pickup the parcel at their post office and print the attached shipping label. This attachment however, is an executable file which is this new variant of Bredolab Trojan.

Another campaign that the authors of this Trojan use is the Facebook password reset spam campaign as it still continues its wave since we covered it in SonicAlert – New social engineering tactics by Bredolab and ZBot. It still involves a fake e-mail message pretending to arrive from Facebook. It informs the users that Facebook have taken measures to provide safety to their clients that include resetting their password. It instructed the users to retrieve their new password from the attached document which is the new variant of Bredolab Trojan.

Campaign #1 – DHL parcel service

Subject:

  • DHL Express Services. You need to get a parcel NR.[4-digit numeric number]
  • DHL Office. Please get your parcel NR.[4-digit numeric number]
  • DHL services. Please get your parcel NR.[5-digit numeric number]
  • DHL International. Get your parcel NR.[4-digit numeric number]
  • DHL Customer Services. Please get your parcel NR.[4-digit numeric number]

Attachment: DHL_Print_label_12454.zip (contains DHL_Print_label_12454.exe)

Email Body:
————————
Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.
————————

The e-mail message looks like below:

screenshot

Campaign #2 – Facebook Password Reset spam

Subject:

  • Facebook Password Reset Confirmation! Customer Message
  • Facebook Password Reset Confirmation! Your Support
  • Facebook Password Reset Confirmation! Important Message
  • Facebook Password Reset Confirmation! Customer Support

Attachment: Facebook_Password_10493.zip (contains Facebook_Password_10493.exe)

Email Body:
————————
Hey [Facebook User]!

Because of the measures taken to provide safety to our clients, your password has been changed
You can find your new password in attached document.

Thank,
Your facebook.
————————

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

screenshot

screenshot

The Trojan when executed performs the following host level activity:

  • Drops a copy of itself as (Windows System Folder)Startuprarype32.exe (~36KB)
  • Deletes the original file
  • Injects its code to winlogon.exe process in the memory where it tries to connect to dollardream.ru domain and downloads an encrypted configuration file.

The Trojan is also known as trojan Mal/Bredo-A [Sophos] and TrojanDownloader:Win32/Bredolab.AB [Microsoft].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Bredolab.AA_6 (Trojan) signature. [13,428,256 hits recorded starting December 10, 2009].

screenshot

Trojan targeting Vietnamese Speakers (Apr 2, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Trojan targeting Vietnamese speakers reported by Google here. Authors of this malware repackaged the binary together with Vietnamese keyboard driver VPSKeys. VPSKeys is a legitimate application that provides Vietnamese keyboard support to Windows users.

Users who downloaded this keyboard driver may not be aware that it is a tampered version since both the VPSKeys installer and the malicious binary looks the same except for the file size discrepancy.

screenshot

Screenshot of VPSKeys
screenshot

Installation

  • Copies and runs itself at %User%Application Data folder.

Files Installed

  • %User%Application DataJavajre6binjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %User%Application DataJavajre6binzf32.dll
  • %User%Application DataVpskeys43.exe – [Detected as GAV: VulcanBot (Trojan)]

  • Program FilesAdobeAdobeUpdateManager.exe – [Detected as GAV: VBbot.V (Trojan)]]
  • Program FilesAdobezf32.dll
  • Program FilesMicrosoft OfficeOffice11OSA.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesWindows DefenderMPClient.exe – [Detected as GAV: Dosvine_2 (Trojan) ]
  • Program FilesWindows DefenderMPSvc.exe – [Detected as GAV: Dosvine_3 (Trojan) ]
  • Program FilesJavajre6binjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesJavajre6binzf32.dll
  • Program FilesWindows NTWindows Updatewuauclt.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesWindows NTWindows Updatezf32.dll

  • %Windir%system32mscommon.inf
  • %Windir%system32msconfig32.sys
  • %Windir%system32zf32.dll
  • %Windir%system32SetupAdobeUpdateManager.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32SetupMPClient.exe – [Detected as GAV: Dosvine_2 (Trojan) ]
  • %Windir%system32SetupMPSvc.exe – [Detected as GAV: Dosvine_3 (Trojan) ]
  • %Windir%system32SetupOSA.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupwuauclt.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupzf32.dll

Registry Changes

    Added Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Userinit
    Data: “C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe”

    • Added to run the binary as a service

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesjucheck
    Value: ImagePath
    Data: C:Program FilesJavajre6binjucheck.exe

    • Added to run the binary on every Windows startup

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Adobe Update Manager
    Data: “C:Program FilesAdobeAdobeUpdateManager.exe”
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Microsoft Office quick launch
    Data: “C:Program FilesMicrosoft OfficeOffice11OSA.exe”
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Windows Update Automatic Updates
    Data: “C:Program FilesWindows NTWindows Updatewuauclt.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Adobe Update Manager
    Data: “C:Program FilesAdobeAdobeUpdateManager.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Microsoft Office quick launch
    Data: “C:Program FilesMicrosoft OfficeOffice11OSA.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Windows Update Automatic Updates
    Data: “C:Program FilesWindows NTWindows Updatewuauclt.exe”

    Added to run the binary on Windows Safemode

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaljucheck
    Value: @
    Data: “Service”
  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkjucheck
    Value: @
    Data: “Service”

    Modified Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Userinit
    Original Data: “C:WINDOWSSystem32userinit.exe,
    Modified Data: “C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe”

Process Created

  • jucheck.exe
  • AdobeUpdateManager.exe
  • MPsvc.exe
  • wuauclt.exe
  • OSA.exe

Network Activity

It tries to connect to the following domain:

  • adobe.ath.cx
  • blogspot.blogsite.org
  • google.homeunix.com
  • tyuqwer.dyndns.org
  • update-adobe.com
  • voanews.ath.cx
  • ymail.ath.cx

This malware is also known as W32/Vulcanbot [Mcafee], Win32/VBbot.V [Microsoft], and VBbot.A [Eset]

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Vulcanbot (Trojan), GAV: Dosvine (Trojan), GAV: Dosvine_2 (Trojan), GAV: Dosvine_3 (Trojan) and GAV: VBBot.V (Trojan) signatures.