Most rogue antivirus software displays an interface that is predominantly in English, with some presenting a few other European languages as well. However, this month one of the families added by MSRT is Win32/Onescan, a Korean fake antivirus scanner that is the most prevalent of the Asian language-based rogues.

 

Recently we noticed that several different English language rogue antivirus families have become inactive, with much of the remainder now consolidating around two other rogue families previously added to MSRT: Win32/Winwebsec (currently calling itself System Progressive Protection) and Win32/FakeRean (which has reappeared in the past week).

The social engineering aspects of Win32/Onescan are fairly similar to its English-language counterparts. It shows an interface that appears to scan the system, and may falsely report a number of malware infections. It periodically pops up a dialog with a large button at the bottom with red text suggesting (in Korean) that the user "Fix" these problems. It will probably not be a surprise that clicking this button takes users to a webpage informing them that they will need to pay if they want to remove these threats. Naturally the "Fix" button is far more prominent than the one to dismiss the dialog. 

Much like Win32/FakePAV and Rogue:Win32/FakeSmoke, both of which are currently inactive, Win32/Onescan changes the name it uses for itself often. This may be because it receives a poor reputation among users, or because its websites may be blocked in web browsers by technologies such as Internet Explorer's Smartscreen. Below are just some of the names used by Win32/Onescan. You may notice that many of them are variations on the word "vaccine."

alphavaccine
anycop
bestvaccine
bizvaccine
bluevaccine
boandefender
boanguard
boaninfo
boankeeper
boansupporter
boanupgrade
Bootcare
checkvaccine
cleanvaccine
coolspeed
DASearch
defencevaccine
directvaccine
diskvaccine
doublevaccine
DoubleVaccine
easyboan
easyvaccine
EnPrivacy
everyclean
EveryGuard
everyguard
fastcure
fastpc
fastvaccine
firstvaccine
goodvaccine
gvaccine
HardScan
highclear
highvaccine
homevaccine
infoclear
InfoData
InfoDoctor
InfoHelper
infosaver
internetspeed
keepprotect
lifeclean
lightpc
litevaccine
livepc
livesafer
mastervaccine
microboan
multicare
multivaccine
MyKeeper
mypcclean
mysafer
myvaccine
MyVaccine
neovaccine
netvaccine
onescan
pcboan365
PCTrouble
pcupgrade
perfectcure
pointvaccine
powerboan
powercure
primevaccine
proguard
proscan
provaccine
purevaccine
realchecker
realcleaner
realsecurity
searchvaccine
Siren114
smartmode
smartsafer
smartspeed
SmartVaccine
solutionpc
specialguard
speedcheck
speedcontrol
speedcure
speedplus
speedsolution
speedtools
speedvaccine
sweeperlab
topboan
topchecker
topvaccine
totalvaccine
UProtect
userboan
userprotect
UtilKorea
UtilMarket
vaccinecode
vaccinecom
VaccineCure
vaccinefree
vaccinehelper
vaccinekiller
vaccinenet
vaccineon
vaccinepc
vaccinepower
vaccineprogram
vaccinesafe
vaccinesafer
vaccineupdate
vaccinezero
vcboan
vcmanager
windowcure
windowguard
WindowVaccine
windowvaccine
WiseVaccine
wisevaccine
XProtect
zerocop
zvaccine

If you are in need of an antivirus product and prefer to use a language other than English, you can find far more reputable suppliers among our antivirus partners, many of whom are based in countries where English is not the dominant language. Or, if you have a genuine copy of Windows, you can download Microsoft Security Essentials for free from http://windows.microsoft.com/en-AU/windows/products/security-essentials/download, where it is available in more than thirty different languages, including Korean. Alternatively, the version of Windows Defender supplied with Windows 8 will contain built-in full -featured antivirus protection.

 

David Wood
MMPC Melbourne

 

Example SHA1s:
vaccinepc: 102d511dd580596bf086557ecf28760d99084987
speedcure: 036d49278b163e9f4b267c535c521ee9da640d47