Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs the user that payment is needed to register the software and remove these non-existent threats.

Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.

System changes

The following system changes may indicate the presence of this malware:

• The presence of a program called any of the following:
  
  alphavaccine
  anycop
  bestvaccine
  bizvaccine
  bluevaccine
  boandefender
  boanguard
  boaninfo
  boankeeper
  boansupporter
  boanupgrade
  Bootcare
  checkvaccine
  cleanvaccine
  coolspeed
  DASearch
  defencevaccine
  directvaccine
  diskvaccine
  doublevaccine
  DoubleVaccine
  easyboan
  easyvaccine
  EnPrivacy
  everyclean
  everyguard
  EveryGuard
  fastcure
  fastpc
  fastvaccine
  firstvaccine
  goodvaccine
  gvaccine
  HardScan
  highclear
  highvaccine
  homevaccine
  infoclear
  InfoData
  InfoDoctor
  InfoHelper
  infosaver
  internetspeed
  keepprotect
  lifeclean
  lightpc
  litevaccine
  livepc
  livesafer
  mastervaccine
  microboan
  multicare
  multivaccine
  MyKeeper
  mypcclean
  mysafer
  myvaccine
  MyVaccine
  neovaccine
  netvaccine
  One Scan
  onescan
  pcboan365
  PCTrouble
  pcupgrade
  perfectcure
  pointvaccine
  powerboan
  powercure
  primevaccine
  proguard
  proscan
  provaccine
  purevaccine
  realchecker
  realcleaner
  realsecurity
  searchvaccine
  Siren114
  smartmode
  smartsafer
  smartspeed
  SmartVaccine
  solutionpc
  specialguard
  speedcheck
  speedcontrol
  speedcure
  speedplus
  speedsolution
  speedtools
  speedvaccine
  sweeperlab
  topboan
  topchecker
  topvaccine
  totalvaccine
  UProtect
  userboan
  userprotect
  UtilKorea
  UtilMarket
  vaccinecode
  vaccinecom
  VaccineCure
  vaccinefree
  vaccinehelper
  vaccinekiller
  vaccinenet
  vaccineon
  vaccinepc
  vaccinepower
  vaccineprogram
  vaccinesafe
  vaccinesafer
  vaccineupdate
  vaccinezero
  vcboan
  vcmanager
  windowcure
  windowguard
  windowvaccine
  WindowVaccine
  wisevaccine
  WiseVaccine
  XProtect
  zerocop
  zvaccine
• The program's logo may appear similar to any of the following:

  

  

  

• The presence of any of the following registry modifications:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<product name> main"
With data: %ProgramFiles%\<product name>\<product name>u.exe /8L
Sets value: <product name>start.exe
With data: %ProgramFiles%\<product name>\<product name>start.exe

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Onescan brand name>"
With data: "%ProgramFiles%\<Onescan brand name>\<Onescan brand name>u.exe /81"

In subkey: HKLM\SOFTWARE\<Onescan brand name>
Sets value: "code1"
With data: "<random word>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<Onescan brand name>
Sets value: "DisplayName"
With data: "Onescan brand name"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<product name>
Sets value: DisplayName
With data: <product name>
Sets value: DisplayVersion
With Data: <version number>
Sets value: HelpLink
With data: <product website>
Sets value: URLInfoAbout
With data: <product website>
Sets value: UninstallString
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: DisplayIcon
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: NoModify
With data: 1
Sets value: NoRepair
With data: 1

Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs the user that payment is needed to register the software and remove these non-existent threats.

Installation

This rogue is developed and distributed by Korean websites. The rogue can be downloaded and installed from various websites, such as the following:

• any<removed>.com
• pri<removed>yn.com
• vac<removed>com.com
• wba<removed>.com

The download website may appear similar to the following:

Note that the download is blocked by the SmartScreen Filter for Internet Explorer as it is determined to be a rogue. The rogue is branded and distributed as various names including, but not limited to, the following, to avoid detection:

• alphavaccine
• anycop
• bestvaccine
• bizvaccine
• bluevaccine
• boandefender
• boanguard
• boaninfo
• boankeeper
• boansupporter
• boanupgrade
• Bootcare
• checkvaccine
• cleanvaccine
• coolspeed
• DASearch
• defencevaccine
• directvaccine
• diskvaccine
• doublevaccine
• DoubleVaccine
• easyboan
• easyvaccine
• EnPrivacy
• everyclean
• everyguard
• EveryGuard
• fastcure
• fastpc
• fastvaccine
• firstvaccine
• goodvaccine
• gvaccine
• HardScan
• highclear
• highvaccine
• homevaccine
• infoclear
• InfoData
• InfoDoctor
• InfoHelper
• infosaver
• internetspeed
• keepprotect
• lifeclean
• lightpc
• litevaccine
• livepc
• livesafer
• mastervaccine
• microboan
• multicare
• multivaccine
• MyKeeper
• mypcclean
• mysafer
• myvaccine
• MyVaccine
• neovaccine
• netvaccine
• One Scan
• onescan
• pcboan365
• PCTrouble
• pcupgrade
• perfectcure
• pointvaccine
• powerboan
• powercure
• primevaccine
• proguard
• proscan
• provaccine
• purevaccine
• realchecker
• realcleaner
• realsecurity
• searchvaccine
• Siren114
• smartmode
• smartsafer
• smartspeed
• SmartVaccine
• solutionpc
• specialguard
• speedcheck
• speedcontrol
• speedcure
• speedplus
• speedsolution
• speedtools
• speedvaccine
• sweeperlab
• topboan
• topchecker
• topvaccine
• totalvaccine
• UProtect
• userboan
• userprotect
• UtilKorea
• UtilMarket
• vaccinecode
• vaccinecom
• VaccineCure
• vaccinefree
• vaccinehelper
• vaccinekiller
• vaccinenet
• vaccineon
• vaccinepc
• vaccinepower
• vaccineprogram
• vaccinesafe
• vaccinesafer
• vaccineupdate
• vaccinezero
• vcboan
• vcmanager
• windowcure
• windowguard
• windowvaccine
• WindowVaccine
• wisevaccine
• WiseVaccine
• XProtect
• zerocop
• zvaccine

The installer creates a folder, using one of its variant names, under the %ProgramFiles% folder. In the wild, we have observed folders named in both Korean and English.

The downloaded files are installed to %ProgramFiles%\<product name> (for example, %ProgramFiles%\vaccinepc\).

• <product name>.exe - main scanner component
• <product name>u.exe - component that checks for updates
• <product name>start.exe - component that launches the scanner component
• <product name>d.dll - configuration data (not a DLL)
• uninst_ <productname>.exe - uninstaller
• EGutil.dll

For example:

• vaccinepc.exe
• vaccinepcu.exe
• vaccinepcstart.exe
• vaccinepcd.dll
• uninst_vaccinepc.exe

The <product name>start.exe component monitors whether other executable components of the malware are running, and may re-launch them if not.

The installer may look similar to any of the following:

The logo has many different versions, including any of the following:

Onescan also creates the following registry entries to ensure that it runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Onescan brand name>"
With data: "%ProgramFiles%\<Onescan brand name>\<Onescan brand name>u.exe /81"
Sets value: "<product name> main"
With data: %ProgramFiles%\<product name>\<product name>u.exe /8L
Sets value: <product name>start.exe
With data: %ProgramFiles%\<product name>\<product name>start.exe

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ddos-clean"
With data: "%ProgramFiles%\ddos-clean\ddoscleanu.exe /8l"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "anycop main"
With data: "%ProgramFiles%\anycop\anycopu.exe /8l"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "vaccinecom main"
With data: "%ProgramFiles%\vaccinecom\vaccinecomu.exe /8l"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: speedcure main
With data: %ProgramFiles%\speedcure\speedcureu.exe /8L
Sets value: speedcurestart.exe
With data: %ProgramFiles%\speedcure\speedcurestart.exe

It may also create the following registry entry as part of its installation routine:

In subkey: HKLM\SOFTWARE\<Onescan brand name>
Sets value: "code1"
With data: "<random word>"

For example:

In subkey: HKLM\SOFTWARE\vaccinecom
Sets value: "code1"
With data: "pay"

In subkey: HKLM\SOFTWARE\pcvaccine
Sets value: "code1"
With data: "pcvaccine"

In subkey: HKLM\SOFTWARE\AllSearch
Sets value: "code1"
With data: "down"

Some variants of Onescan may create an uninstall entry in the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<Onescan brand name>
Sets value: "DisplayName"
With data: "<Onescan brand name>"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AllSearch
Sets value: "DisplayName"
With data: "dasearch"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ddosclean
Sets value: "DisplayName"
With data: "ddosclean"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\anycop
Sets value: "DisplayName"
With data: "anycop"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcvaccine
Sets value: "DisplayName"
With data: "pcvaccine"

It may also add itself to the Add/Remove Programs list by creating the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<product name>
Sets value: DisplayName
With data: <product name>
Sets value: DisplayVersion
With Data: <version number>
Sets value: HelpLink
With data: <product website>
Sets value: URLInfoAbout
With data: <product website>
Sets value: UninstallString
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: DisplayIcon
With data: %ProgramFiles%\<product name>\uninst_<product name>.exe
Sets value: NoModify
With data: 1
Sets value: NoRepair
With data: 1

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedcure
Sets value: DisplayName
With data: speedcure
Sets value: DisplayVersion
With Data: 1.2
Sets value: HelpLink
With data: hxxp://www.speedcure.co.kr
Sets value: URLInfoAbout
With data: hxxp://www.speedcure.co.kr
Sets value: UninstallString
With data: %ProgramFiles%\speedcure\uninst_speedcure.exe
Sets value: DisplayIcon
With data: %ProgramFiles%\speedcure\uninst_speedcure.exe
Sets value: NoModify
With data: 1
Sets value: NoRepair
With data: 1

It may also store various items such as configuration information, status information, and dates that various activites took place under the key HKLM\SOFTWARE\<product name> (for example, HKLM\SOFTWARE\vaccinepc).

Payload

Displays fake alerts

This rogue may display alerts on fake issues on the affected computer. The alerts may appear similar to the following:

Connects to remote websites

This rogue attempts to notify others of its installation on an affected computer by sending data strings via the web browser Internet Explorer, as in the following examples:

<rogue website>/value.php?strMode=setup&strID=siva&strPC=<MAC address>&strSite=<rogue website>
<rogue website>/mac_ck.php?strPC=<MAC address>

The following is a list of websites that the rogue has been observed connecting to:

abou<removed>fo.co.kr
all-<removed>an.co.kr
anti<removed>vacy.co.kr
anyc<removed>com
avac<removed>e.co.kr
blue<removed>cine.co.kr
boan<removed>co.kr
boan<removed>.co.kr
boan<removed>ager.co.kr
boan<removed>ution.co.kr
boot<removed>e.co.kr
clea<removed>ecker.co.kr
clea<removed>sk.co.kr
clea<removed>nager.co.kr
clea<removed>fer.co.kr
clea<removed>an.co.kr
clea<removed>er.co.kr
clea<removed>ccine.co.kr
code<removed>.kr
dase<removed>h.co.kr
data<removed>tect.co.kr
ddos<removed>an.com
dire<removed>accine.co.kr
doub<removed>accine.net
down<removed>ager.co.kr
e-tr<removed>.co.kr
easy<removed>n.co.kr
easy<removed>cine.co.kr
enpr<removed>cy.com
epro<removed>t.co.kr
ever<removed>ean.co.kr
ever<removed>ard.co.kr
gree<removed>ccine.co.kr
gvac<removed>e.co.kr
hard<removed>an.co.kr
hard<removed>n.co.kr
home<removed>cine.co.kr
i-sc<removed>co.kr
idpr<removed>ct.co.kr
info<removed>.com
info<removed>an.co.kr
info<removed>aner.co.kr
info<removed>annet.co.kr
info<removed>anup.co.kr
info<removed>ar.co.kr
info<removed>a.co.kr
info<removed>per.co.kr
info<removed>d.co.kr
info<removed>k.co.kr
info<removed>tect.co.kr
info<removed>ret.co.kr
info<removed>p.kr
inte<removed>tvaccine.co.kr
ivac<removed>e.co.kr
k-se<removed>ity.co.kr
keep<removed>o.co.kr
keep<removed>vacy.co.kr
keyc<removed>co.kr
life<removed>an.co.kr
live<removed>ker.co.kr
live<removed>cine.co.kr
micr<removed>p.co.kr
mkee<removed>.co.kr
mugy<removed>com
mult<removed>re.co.kr
mult<removed>ccine.co.kr
my-c<removed>n.com
mybo<removed>co.kr
mypr<removed>ct.co.kr
myva<removed>ne.co.kr
nvac<removed>e.co.kr
ones<removed>.co.kr
pc-c<removed>n.kr
pcbo<removed>65.co.kr
pcde<removed>ce.co.kr
pche<removed>co.kr
pcpr<removed>ct.co.kr
pcsa<removed>one.co.kr
pcsa<removed>lus.com
pctr<removed>le.co.kr
pcva<removed>ne.co.kr
plus<removed>n.co.kr
plus<removed>rd.co.kr
plus<removed>e.co.kr
plus<removed>cine.com
powe<removed>re.co.kr
powe<removed>re.co.kr
powe<removed>an.co.kr
priv<removed>lock.co.kr
priv<removed>medic.co.kr
priv<removed>n.com
priv<removed>pc.net
priv<removed>safe.co.kr
priv<removed>scan.co.kr
priv<removed>zone.co.kr
prob<removed>.co.kr
pros<removed>.co.kr
prov<removed>ine.co.kr
quic<removed>an.co.kr
real<removed>an.co.kr
real<removed>aner.co.kr
real<removed>tect.co.kr
real<removed>e.co.kr
rese<removed>fo.co.kr
safe<removed>n.co.kr
safe<removed>oan.co.kr
save<removed>o.co.kr
sear<removed>uard.co.kr
secu<removed>y119.co.kr
sigh<removed>cus.co.kr
sire<removed>4.com
smar<removed>de.co.kr
smar<removed>ivacy.co.kr
smar<removed>ccine.co.kr
spec<removed>boan.co.kr
spee<removed>ccine.co.kr
supp<removed>bar.co.kr
swee<removed>lab.co.kr
tool<removed>co.kr
topv<removed>ine.co.kr
tota<removed>ccine.co.kr
turb<removed>accine.co.kr
upro<removed>t.co.kr
user<removed>tect.com
user<removed>n.co.kr
user<removed>cine.co.kr
util<removed>ea.co.kr
util<removed>ket.co.kr
vacc<removed>-free.co.kr
vacc<removed>-plus.co.kr
vacc<removed>-program.co.kr
vacc<removed>com.com
vacc<removed>cure.co.kr
vacc<removed>killer.com
vacc<removed>safe.co.kr
vacc<removed>wave.co.kr
vacc<removed>zero.co.kr
vacc<removed>zone.co.kr
vcbo<removed>co.kr
viva<removed>ne.co.kr
vpro<removed>tor.co.kr
wbap<removed>com
webb<removed>.co.kr
wise<removed>cine.co.kr
wizp<removed>acy.co.kr
xcur<removed>o.kr
xpro<removed>t.co.kr
zvac<removed>e.co.kr

Downloads updates

The malware will periodically contact the website that it was installed from and check whether a newer version is available. If so, it will download it, and replace the existing files with the newer ones, before launching the new copy.

Analysis by David Wood, Tim Liu and Mihai Calota

Win32/Onescan may place an uninstaller entry in Control Panel>Add or Remove Programs (Windows XP) or Control Panel>Programs>Uninstall a Program (Windows Vista and Windows 7). The entry name may be called "dasearch", "ddosclean", "anycop", or "pcvaccine". If an uninstaller is not available or if you do not want to use the uninstaller that is provided, you can use the following scanning and removal tools to detect and remove this malware:

• Microsoft Security Essentials  or, for Windows 8, Windows Defender
• Microsoft Safety Scanner
• Microsoft Windows Malicious Software Removal Tool

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.