Threat Research & Response Blog
Most rogue antivirus software displays an interface that is predominantly in English, with some presenting a few other European languages as well. However, this month one of the families added by MSRT is Win32/Onescan, a Korean fake antivirus scanner that is the most prevalent of the Asian language-based rogues.
Recently we noticed that several different English language rogue antivirus families have become inactive, with much of the remainder now consolidating around two other rogue families previously added to MSRT: Win32/Winwebsec (currently calling itself System Progressive Protection) and Win32/FakeRean (which has reappeared in the past week).
The social engineering aspects of Win32/Onescan are fairly similar to its English-language counterparts. It shows an interface that appears to scan the system, and may falsely report a number of malware infections. It periodically pops up a dialog with a large button at the bottom with red text suggesting (in Korean) that the user "Fix" these problems. It will probably not be a surprise that clicking this button takes users to a webpage informing them that they will need to pay if they want to remove these threats. Naturally the "Fix" button is far more prominent than the one to dismiss the dialog.
Much like Win32/FakePAV and Rogue:Win32/FakeSmoke, both of which are currently inactive, Win32/Onescan changes the name it uses for itself often. This may be because it receives a poor reputation among users, or because its websites may be blocked in web browsers by technologies such as Internet Explorer's Smartscreen. Below are just some of the names used by Win32/Onescan. You may notice that many of them are variations on the word "vaccine."
If you are in need of an antivirus product and prefer to use a language other than English, you can find far more reputable suppliers among our antivirus partners, many of whom are based in countries where English is not the dominant language. Or, if you have a genuine copy of Windows, you can download Microsoft Security Essentials for free from http://windows.microsoft.com/en-AU/windows/products/security-essentials/download, where it is available in more than thirty different languages, including Korean. Alternatively, the version of Windows Defender supplied with Windows 8 will contain built-in full -featured antivirus protection.
David WoodMMPC Melbourne
Example SHA1s:vaccinepc: 102d511dd580596bf086557ecf28760d99084987 speedcure: 036d49278b163e9f4b267c535c521ee9da640d47