Most rogue antivirus software displays an interface that is predominantly in English, with some presenting a few other European languages as well. However, this month one of the families added by MSRT is Win32/Onescan, a Korean fake antivirus scanner that is the most prevalent of the Asian language-based rogues.
Recently we noticed that several different English language rogue antivirus families have become inactive, with much of the remainder now consolidating around two other rogue families previously added to MSRT: Win32/Winwebsec (currently calling itself System Progressive Protection) and Win32/FakeRean (which has reappeared in the past week).
The social engineering aspects of Win32/Onescan are fairly similar to its English-language counterparts. It shows an interface that appears to scan the system, and may falsely report a number of malware infections. It periodically pops up a dialog with a large button at the bottom with red text suggesting (in Korean) that the user “Fix” these problems. It will probably not be a surprise that clicking this button takes users to a webpage informing them that they will need to pay if they want to remove these threats. Naturally the “Fix” button is far more prominent than the one to dismiss the dialog.
Much like Win32/FakePAV and Rogue:Win32/FakeSmoke, both of which are currently inactive, Win32/Onescan changes the name it uses for itself often. This may be because it receives a poor reputation among users, or because its websites may be blocked in web browsers by technologies such as Internet Explorer’s Smartscreen. Below are just some of the names used by Win32/Onescan. You may notice that many of them are variations on the word “vaccine.”
alphavaccine anycop bestvaccine bizvaccine bluevaccine boandefender boanguard boaninfo boankeeper boansupporter boanupgrade Bootcare checkvaccine cleanvaccine coolspeed DASearch defencevaccine directvaccine diskvaccine doublevaccine DoubleVaccine easyboan easyvaccine EnPrivacy everyclean EveryGuard everyguard fastcure fastpc fastvaccine firstvaccine goodvaccine |
gvaccine HardScan highclear highvaccine homevaccine infoclear InfoData InfoDoctor InfoHelper infosaver internetspeed keepprotect lifeclean lightpc litevaccine livepc livesafer mastervaccine microboan multicare multivaccine MyKeeper mypcclean mysafer myvaccine MyVaccine neovaccine netvaccine onescan pcboan365 PCTrouble pcupgrade |
perfectcure pointvaccine powerboan powercure primevaccine proguard proscan provaccine purevaccine realchecker realcleaner realsecurity searchvaccine Siren114 smartmode smartsafer smartspeed SmartVaccine solutionpc specialguard speedcheck speedcontrol speedcure speedplus speedsolution speedtools speedvaccine sweeperlab topboan topchecker topvaccine totalvaccine |
UProtect userboan userprotect UtilKorea UtilMarket vaccinecode vaccinecom VaccineCure vaccinefree vaccinehelper vaccinekiller vaccinenet vaccineon vaccinepc vaccinepower vaccineprogram vaccinesafe vaccinesafer vaccineupdate vaccinezero vcboan vcmanager windowcure windowguard WindowVaccine windowvaccine WiseVaccine wisevaccine XProtect zerocop zvaccine |
If you are in need of an antivirus product and prefer to use a language other than English, you can find far more reputable suppliers among our antivirus partners, many of whom are based in countries where English is not the dominant language. Or, if you have a genuine copy of Windows, you can download Microsoft Security Essentials for free from http://windows.microsoft.com/en-AU/windows/products/security-essentials/download, where it is available in more than thirty different languages, including Korean. Alternatively, the version of Windows Defender supplied with Windows 8 will contain built-in full -featured antivirus protection.
David Wood
MMPC Melbourne
Example SHA1s:
vaccinepc: 102d511dd580596bf086557ecf28760d99084987
speedcure: 036d49278b163e9f4b267c535c521ee9da640d47
Leave a reply