Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs you that you need to pay to register the software and remove these non-existent threats from your PC.
Installation
This rogue is developed and distributed by Korean websites. The rogue can be downloaded and installed from various websites, like the following:
-
any<removed>.com
-
pri<removed>yn.com
-
vac<removed>com.com
-
wba<removed>.com
The download website might look similar to the following:
Note that the download is blocked by the SmartScreen Filter for Internet Explorer because it is known to distribute the rogue. The rogue is branded and distributed as various names including, but not limited to, the following, to avoid detection:
-
alphavaccine
-
anycop
-
bestvaccine
-
bizvaccine
-
bluevaccine
-
boandefender
-
boanguard
-
boaninfo
-
boankeeper
-
boansupporter
-
boanupgrade
-
Bootcare
-
checkvaccine
-
cleanvaccine
-
coolspeed
-
DASearch
-
defencevaccine
-
directvaccine
-
diskvaccine
-
doublevaccine
-
DoubleVaccine
-
easyboan
-
easyvaccine
-
EnPrivacy
-
everyclean
-
everyguard
-
EveryGuard
-
fastcure
-
fastpc
-
fastvaccine
-
firstvaccine
-
goodvaccine
-
gvaccine
-
HardScan
-
highclear
-
highvaccine
-
homevaccine
-
infoclear
-
InfoData
-
InfoDoctor
-
InfoHelper
-
infosaver
-
internetspeed
-
keepprotect
-
lifeclean
-
lightpc
-
litevaccine
-
livepc
-
livesafer
-
mastervaccine
-
microboan
-
multicare
-
multivaccine
-
MyKeeper
-
mypcclean
-
mysafer
-
myvaccine
-
MyVaccine
-
neovaccine
-
netvaccine
-
One Scan
-
onescan
-
pcboan365
-
PCTrouble
-
pcupgrade
-
perfectcure
-
pointvaccine
-
powerboan
-
powercure
-
primevaccine
-
proguard
-
proscan
-
provaccine
-
purevaccine
-
realchecker
-
realcleaner
-
realsecurity
-
searchvaccine
-
Siren114
-
smartmode
-
smartsafer
-
smartspeed
-
SmartVaccine
-
solutionpc
-
specialguard
-
speedcheck
-
speedcontrol
-
speedcure
-
speedplus
-
speedsolution
-
speedtools
-
speedvaccine
-
sweeperlab
-
topboan
-
topchecker
-
topvaccine
-
totalvaccine
-
UProtect
-
userboan
-
userprotect
-
UtilKorea
-
UtilMarket
-
vaccinecode
-
vaccinecom
-
VaccineCure
-
vaccinefree
-
vaccinehelper
-
vaccinekiller
-
vaccinenet
-
vaccineon
-
vaccinepc
-
vaccinepower
-
vaccineprogram
-
vaccinesafe
-
vaccinesafer
-
vaccineupdate
-
vaccinezero
-
vcboan
-
vcmanager
-
windowcure
-
windowguard
-
windowvaccine
-
WindowVaccine
-
wisevaccine
-
WiseVaccine
-
XProtect
-
zerocop
-
zvaccine
The installer creates a folder, using one of its variant names, under the %ProgramFiles% folder. In the wild, we have observed folders named in both Korean and English.
The downloaded files are installed to %ProgramFiles%\<product name> (for example, %ProgramFiles%\vaccinepc\).
- <product name>.exe - main scanner component
- <product name>u.exe - component that checks for updates
- <product name>start.exe - component that launches the scanner component
- <product name>d.dll - configuration data (not a DLL)
-
uninst_
<productname>.exe - uninstaller
-
EGutil.dll
For example:
-
vaccinepc.exe
-
vaccinepcu.exe
-
vaccinepcstart.exe
-
vaccinepcd.dll
-
uninst_vaccinepc.exe
The <product name>start.exe component monitors whether other executable components of the malware are running, and might re-launch them if not.
The installer might look similar to any of the following:
The logo has many different versions, including any of the following:
Onescan also creates the following registry entries to ensure that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Onescan brand name>"
With data: "%ProgramFiles%\<Onescan brand name>\<Onescan brand name>u.exe /81"
Sets value: "<product name> main"
With data: %ProgramFiles%\<product name>\<product name>u.exe /8L
Sets value: <product name>start.exe
With data: %ProgramFiles%\<product name>\<product name>start.exe
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ddos-clean"
With data: "%ProgramFiles%\ddos-clean\ddoscleanu.exe /8l"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "anycop main"
With data: "%ProgramFiles%\anycop\anycopu.exe /8l"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "vaccinecom main"
With data: "%ProgramFiles%\vaccinecom\vaccinecomu.exe /8l"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: speedcure main
With data: %ProgramFiles%\speedcure\speedcureu.exe /8L
Sets value: speedcurestart.exe
With data: %ProgramFiles%\speedcure\speedcurestart.exe
It might also create the following registry entry as part of its installation routine:
In subkey: HKLM\SOFTWARE\<Onescan brand name>
Sets value: "code1"
With data: "<random word>"
For example:
In subkey: HKLM\SOFTWARE\vaccinecom
Sets value: "code1"
With data: "pay"
In subkey: HKLM\SOFTWARE\pcvaccine
Sets value: "code1"
With data: "pcvaccine"
In subkey: HKLM\SOFTWARE\AllSearch
Sets value: "code1"
With data: "down"
Some variants of Onescan might create an uninstall entry in the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<Onescan brand name>
Sets value: "DisplayName"
With data: "<Onescan brand name>"
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AllSearch
Sets value: "DisplayName"
With data: "dasearch"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ddosclean
Sets value: "DisplayName"
With data: "ddosclean"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\anycop
Sets value: "DisplayName"
With data: "anycop"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcvaccine
Sets value: "DisplayName"
With data: "pcvaccine"
It might also add itself to the Add/Remove Programs list by creating the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<product name>
Sets value: DisplayName
With data: <product name>
Sets value: DisplayVersion
With Data: <version number>
Sets value: HelpLink
With data: <product website>
Sets value: URLInfoAbout
With data: <product website>
Sets value: UninstallString
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: DisplayIcon
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: Nochange
With data: 1
Sets value: NoRepair
With data: 1
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedcure
Sets value: DisplayName
With data: speedcure
Sets value: DisplayVersion
With Data: 1.2
Sets value: HelpLink
With data: hxxp://www.speedcure.co.kr
Sets value: URLInfoAbout
With data: hxxp://www.speedcure.co.kr
Sets value: UninstallString
With data: %ProgramFiles%\speedcure\uninst_speedcure.exe
Sets value: DisplayIcon
With data: %ProgramFiles%\speedcure\uninst_speedcure.exe
Sets value: Nochange
With data: 1
Sets value: NoRepair
With data: 1
It might also store various items like configuration information, status information, and dates that various activities took place under the key HKLM\SOFTWARE\<product name> (for example, HKLM\SOFTWARE\vaccinepc).
Payload
Displays fake alerts
This rogue might display alerts on fake issues on the affected PC. The alerts could appear similar to the following:
Connects to remote websites
This rogue tries to notify the malware authors when it infects your PC by sending data strings via the web browser Internet Explorer, as in the following examples:
<rogue website>/value.php?strMode=setup&strID=siva&strPC=<MAC address>&strSite=<rogue website>
<rogue website>/mac_ck.php?strPC=<MAC address>
The following is a list of websites that the rogue has been observed connecting to:
abou<removed>fo.co.kr
all-<removed>an.co.kr
anti<removed>vacy.co.kr
anyc<removed>com
avac<removed>e.co.kr
blue<removed>cine.co.kr
boan<removed>co.kr
boan<removed>.co.kr
boan<removed>ager.co.kr
boan<removed>ution.co.kr
boot<removed>e.co.kr
clea<removed>ecker.co.kr
clea<removed>sk.co.kr
clea<removed>nager.co.kr
clea<removed>fer.co.kr
clea<removed>an.co.kr
clea<removed>er.co.kr
clea<removed>ccine.co.kr
code<removed>.kr
dase<removed>h.co.kr
data<removed>tect.co.kr
ddos<removed>an.com
dire<removed>accine.co.kr
doub<removed>accine.net
down<removed>ager.co.kr
e-tr<removed>.co.kr
easy<removed>n.co.kr
easy<removed>cine.co.kr
enpr<removed>cy.com
epro<removed>t.co.kr
ever<removed>ean.co.kr
ever<removed>ard.co.kr
gree<removed>ccine.co.kr
gvac<removed>e.co.kr
hard<removed>an.co.kr
hard<removed>n.co.kr
home<removed>cine.co.kr
i-sc<removed>co.kr
idpr<removed>ct.co.kr
info<removed>.com
info<removed>an.co.kr
info<removed>aner.co.kr
info<removed>annet.co.kr
info<removed>anup.co.kr
info<removed>ar.co.kr
info<removed>a.co.kr
info<removed>per.co.kr
info<removed>d.co.kr
info<removed>k.co.kr
info<removed>tect.co.kr
info<removed>ret.co.kr
info<removed>p.kr
inte<removed>tvaccine.co.kr
ivac<removed>e.co.kr
k-se<removed>ity.co.kr
keep<removed>o.co.kr
keep<removed>vacy.co.kr
keyc<removed>co.kr
life<removed>an.co.kr
live<removed>ker.co.kr
live<removed>cine.co.kr
micr<removed>p.co.kr
mkee<removed>.co.kr
mugy<removed>com
mult<removed>re.co.kr
mult<removed>ccine.co.kr
my-c<removed>n.com
mybo<removed>co.kr
mypr<removed>ct.co.kr
myva<removed>ne.co.kr
nvac<removed>e.co.kr
ones<removed>.co.kr
pc-c<removed>n.kr
pcbo<removed>65.co.kr
pcde<removed>ce.co.kr
pche<removed>co.kr
pcpr<removed>ct.co.kr
pcsa<removed>one.co.kr
pcsa<removed>lus.com
pctr<removed>le.co.kr
pcva<removed>ne.co.kr
plus<removed>n.co.kr
plus<removed>rd.co.kr
plus<removed>e.co.kr
plus<removed>cine.com
powe<removed>re.co.kr
powe<removed>re.co.kr
powe<removed>an.co.kr
priv<removed>lock.co.kr
priv<removed>medic.co.kr
priv<removed>n.com
priv<removed>pc.net
priv<removed>safe.co.kr
priv<removed>scan.co.kr
priv<removed>zone.co.kr
prob<removed>.co.kr
pros<removed>.co.kr
prov<removed>ine.co.kr
quic<removed>an.co.kr
real<removed>an.co.kr
real<removed>aner.co.kr
real<removed>tect.co.kr
real<removed>e.co.kr
rese<removed>fo.co.kr
safe<removed>n.co.kr
safe<removed>oan.co.kr
save<removed>o.co.kr
sear<removed>uard.co.kr
secu<removed>y119.co.kr
sigh<removed>cus.co.kr
sire<removed>4.com
smar<removed>de.co.kr
smar<removed>ivacy.co.kr
smar<removed>ccine.co.kr
spec<removed>boan.co.kr
spee<removed>ccine.co.kr
supp<removed>bar.co.kr
swee<removed>lab.co.kr
tool<removed>co.kr
topv<removed>ine.co.kr
tota<removed>ccine.co.kr
turb<removed>accine.co.kr
upro<removed>t.co.kr
user<removed>tect.com
user<removed>n.co.kr
user<removed>cine.co.kr
util<removed>ea.co.kr
util<removed>ket.co.kr
vacc<removed>-free.co.kr
vacc<removed>-plus.co.kr
vacc<removed>-program.co.kr
vacc<removed>com.com
vacc<removed>cure.co.kr
vacc<removed>killer.com
vacc<removed>safe.co.kr
vacc<removed>wave.co.kr
vacc<removed>zero.co.kr
vacc<removed>zone.co.kr
vcbo<removed>co.kr
viva<removed>ne.co.kr
vpro<removed>tor.co.kr
wbap<removed>com
webb<removed>.co.kr
wise<removed>cine.co.kr
wizp<removed>acy.co.kr
xcur<removed>o.kr
xpro<removed>t.co.kr
zvac<removed>e.co.kr
Downloads updates
The malware will periodically contact the website that it was installed from and check whether a newer version is available. If so, it will download it, and replace the existing files with the newer ones, before launching the new copy.
Analysis by David Wood, Tim Liu and Mihai Calota