pátek 24. února 2012

Rogue:Win32/Onescan


Encyclopedia entry
Updated: Dec 08, 2011  |  Published: Nov 16, 2010

Aliases
  • Trojan.Fakealert.15309 (Dr.Web)
  • Win32/Adware.IScan.A (ESET)
  • SoftwareBundler:Win32/NetPumper.A (other)
  • TROJ_FAKEAV.SMTF (Trend Micro)
  • One Scan (other)
  • Siren114 (other)
  • EnPrivacy (other)
  • PC Trouble (other)
  • My Vaccine (other)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.93.1582.0
Released: Nov 10, 2010


 

Summary

Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs the user that payment is needed to register the software and remove these non-existent threats.
Special Note:Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of a program called any of the following:
    One Scan 
    Bootcare 
    XProtect 
    SmartVaccine 
    WindowVaccine 
    WiseVaccine 
    VaccineCure 
    MyVaccine 
    MyKeeper 
    UtilKorea 
    UProtect 
    EveryGuard 
    PCTrouble 
    DoubleVaccine 
    HardScan 
    DASearch 
    UtilMarket 
    Siren114 
    InfoHelper 
    InfoDoctor 
    InfoData 
    EnPrivacy
  • The program's logo may appear similar to any of the following:
  • The presence of any of the following registry modifications:
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<Onescan brand name>"
    With data: "%ProgramFiles%\<Onescan brand name>\<Onescan brand name>u.exe /81"
    For example:
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "ddos-clean"
    With data: "%ProgramFiles%\ddos-clean\ddoscleanu.exe /8l"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "anycop main"
    With data: "%ProgramFiles%\anycop\anycopu.exe /8l"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "vaccinecom main"
    With data: "%ProgramFiles%\vaccinecom\vaccinecomu.exe /8l"
    ---
    In subkey: HKLM\SOFTWARE\<Onescan brand name>
    Sets value: "code1"
    With data: "<random word>"
    For example:
    In subkey: HKLM\SOFTWARE\vaccinecom
    Sets value: "code1"
    With data: "pay"
    In subkey: HKLM\SOFTWARE\pcvaccine
    Sets value: "code1"
    With data: "pcvaccine"
    In subkey: HKLM\SOFTWARE\AllSearch
    Sets value: "code1"
    With data: "down"
    ---
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<Onescan brand name>
    Sets value: "DisplayName"
    With data: "Onescan brand name"
    For example:
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AllSearch
    Sets value: "DisplayName"
    With data: "dasearch"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ddosclean
    Sets value: "DisplayName"
    With data: "ddosclean"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\anycop
    Sets value: "DisplayName"
    With data: "anycop"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcvaccine
    Sets value: "DisplayName"
    With data: "pcvaccine"


 

Technical Information (Analysis)

Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs the user that payment is needed to register the software and remove these non-existent threats.
Installation
This rogue is developed and distributed by Korean websites. The rogue can be downloaded and installed from various websites, such as the following:
  • any<removed>.com
  • pri<removed>yn.com
  • vac<removed>com.com
  • wba<removed>.com
The download website may appear similar to the following:
Note that the download is blocked by the SmartScreen Filter for Internet Explorer as it is determined to be a rogue. The rogue is branded and distributed as various names including, but not limited to, the following, to avoid detection:
One Scan 
Bootcare 
XProtect 
SmartVaccine 
WindowVaccine 
WiseVaccine 
VaccineCure 
MyVaccine 
MyKeeper 
UtilKorea 
UProtect 
EveryGuard 
PCTrouble 
DoubleVaccine 
HardScan 
DASearch 
UtilMarket 
Siren114 
InfoHelper 
InfoDoctor 
InfoData 
EnPrivacy
The installer creates a folder, using one of its variant names, under the %ProgramFiles% folder. In the wild, we have observed folders named in both Korean and English.
The installer may look similar to any of the following:
The logo has many different versions, including any of the following:
Onescan also creates the following registry entries to ensure that it runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Onescan brand name>"
With data: "%ProgramFiles%\<Onescan brand name>\<Onescan brand name>u.exe /81"
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ddos-clean"
With data: "%ProgramFiles%\ddos-clean\ddoscleanu.exe /8l"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "anycop main"
With data: "%ProgramFiles%\anycop\anycopu.exe /8l"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "vaccinecom main"
With data: "%ProgramFiles%\vaccinecom\vaccinecomu.exe /8l"
It may also create the following registry entry as part of its installation routine:
In subkey: HKLM\SOFTWARE\<Onescan brand name>
Sets value: "code1"
With data: "<random word>"
For example:
In subkey: HKLM\SOFTWARE\vaccinecom
Sets value: "code1"
With data: "pay"
In subkey: HKLM\SOFTWARE\pcvaccine
Sets value: "code1"
With data: "pcvaccine"
In subkey: HKLM\SOFTWARE\AllSearch
Sets value: "code1"
With data: "down"
Some variants of Onescan may create an uninstall entry in the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<Onescan brand name>
Sets value: "DisplayName"
With data: "<Onescan brand name>"
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AllSearch
Sets value: "DisplayName"
With data: "dasearch"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ddosclean
Sets value: "DisplayName"
With data: "ddosclean"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\anycop
Sets value: "DisplayName"
With data: "anycop"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcvaccine
Sets value: "DisplayName"
With data: "pcvaccine"
Payload
Displays fake alerts
This rogue may display alerts on fake issues on the affected computer. The alerts may appear similar to the following:
Connects to remote websites
This rogue attempts to notify others of its installation on an affected computer by sending data strings via the web browser Internet Explorer, as in the following examples:
<rogue website>/value.php?strMode=setup&strID=siva&strPC=<MAC address>&strSite=<rogue website>
<rogue website>/mac_ck.php?strPC=<MAC address>
The following is a list of websites that the rogue has been observed connecting to:
abou<removed>fo.co.kr 
all-<removed>an.co.kr 
anti<removed>vacy.co.kr 
anyc<removed>com 
avac<removed>e.co.kr 
blue<removed>cine.co.kr 
boan<removed>co.kr 
boan<removed>.co.kr 
boan<removed>ager.co.kr 
boan<removed>ution.co.kr 
boot<removed>e.co.kr 
clea<removed>ecker.co.kr 
clea<removed>sk.co.kr 
clea<removed>nager.co.kr 
clea<removed>fer.co.kr 
clea<removed>an.co.kr 
clea<removed>er.co.kr 
clea<removed>ccine.co.kr 
code<removed>.kr 
dase<removed>h.co.kr 
data<removed>tect.co.kr 
ddos<removed>an.com 
dire<removed>accine.co.kr 
doub<removed>accine.net 
down<removed>ager.co.kr 
e-tr<removed>.co.kr 
easy<removed>n.co.kr 
easy<removed>cine.co.kr 
enpr<removed>cy.com 
epro<removed>t.co.kr 
ever<removed>ean.co.kr 
ever<removed>ard.co.kr 
gree<removed>ccine.co.kr 
gvac<removed>e.co.kr 
hard<removed>an.co.kr 
hard<removed>n.co.kr 
home<removed>cine.co.kr 
i-sc<removed>co.kr 
idpr<removed>ct.co.kr 
info<removed>.com 
info<removed>an.co.kr 
info<removed>aner.co.kr 
info<removed>annet.co.kr 
info<removed>anup.co.kr 
info<removed>ar.co.kr 
info<removed>a.co.kr 
info<removed>per.co.kr 
info<removed>d.co.kr 
info<removed>k.co.kr 
info<removed>tect.co.kr 
info<removed>ret.co.kr 
info<removed>p.kr 
inte<removed>tvaccine.co.kr 
ivac<removed>e.co.kr 
k-se<removed>ity.co.kr 
keep<removed>o.co.kr 
keep<removed>vacy.co.kr 
keyc<removed>co.kr 
life<removed>an.co.kr 
live<removed>ker.co.kr 
live<removed>cine.co.kr 
micr<removed>p.co.kr 
mkee<removed>.co.kr 
mugy<removed>com 
mult<removed>re.co.kr 
mult<removed>ccine.co.kr 
my-c<removed>n.com 
mybo<removed>co.kr 
mypr<removed>ct.co.kr 
myva<removed>ne.co.kr 
nvac<removed>e.co.kr 
ones<removed>.co.kr 
pc-c<removed>n.kr 
pcbo<removed>65.co.kr 
pcde<removed>ce.co.kr 
pche<removed>co.kr 
pcpr<removed>ct.co.kr 
pcsa<removed>one.co.kr 
pcsa<removed>lus.com 
pctr<removed>le.co.kr 
pcva<removed>ne.co.kr 
plus<removed>n.co.kr 
plus<removed>rd.co.kr 
plus<removed>e.co.kr 
plus<removed>cine.com 
powe<removed>re.co.kr 
powe<removed>re.co.kr 
powe<removed>an.co.kr 
priv<removed>lock.co.kr 
priv<removed>medic.co.kr 
priv<removed>n.com 
priv<removed>pc.net 
priv<removed>safe.co.kr 
priv<removed>scan.co.kr 
priv<removed>zone.co.kr 
prob<removed>.co.kr 
pros<removed>.co.kr 
prov<removed>ine.co.kr 
quic<removed>an.co.kr 
real<removed>an.co.kr 
real<removed>aner.co.kr 
real<removed>tect.co.kr 
real<removed>e.co.kr 
rese<removed>fo.co.kr 
safe<removed>n.co.kr 
safe<removed>oan.co.kr 
save<removed>o.co.kr 
sear<removed>uard.co.kr 
secu<removed>y119.co.kr 
sigh<removed>cus.co.kr 
sire<removed>4.com 
smar<removed>de.co.kr 
smar<removed>ivacy.co.kr 
smar<removed>ccine.co.kr 
spec<removed>boan.co.kr 
spee<removed>ccine.co.kr 
supp<removed>bar.co.kr 
swee<removed>lab.co.kr 
tool<removed>co.kr 
topv<removed>ine.co.kr 
tota<removed>ccine.co.kr 
turb<removed>accine.co.kr 
upro<removed>t.co.kr 
user<removed>tect.com 
user<removed>n.co.kr 
user<removed>cine.co.kr 
util<removed>ea.co.kr 
util<removed>ket.co.kr 
vacc<removed>-free.co.kr 
vacc<removed>-plus.co.kr 
vacc<removed>-program.co.kr 
vacc<removed>com.com 
vacc<removed>cure.co.kr 
vacc<removed>killer.com 
vacc<removed>safe.co.kr 
vacc<removed>wave.co.kr 
vacc<removed>zero.co.kr 
vacc<removed>zone.co.kr 
vcbo<removed>co.kr 
viva<removed>ne.co.kr 
vpro<removed>tor.co.kr 
wbap<removed>com 
webb<removed>.co.kr 
wise<removed>cine.co.kr 
wizp<removed>acy.co.kr 
xcur<removed>o.kr 
xpro<removed>t.co.kr 
zvac<removed>e.co.kr
Analysis by Tim Liu and Mihai Calota

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.