Home / malwarePDF  

Rogue:Win32/Onescan


First posted on 20 November 2010.
Source: SecurityHome

Aliases :

Rogue:Win32/Onescan is also known as Trojan.Fakealert.15309 (Dr.Web), Win32/Adware.IScan.A (ESET), SoftwareBundler:Win32/NetPumper.A (other), TROJ_FAKEAV.SMTF (Trend Micro), One Scan (other), Siren114 (other), EnPrivacy (other), PC Trouble (other), My Vaccine (other).

Explanation :

Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs the user that they need to pay money to register the software in order to remove these non-existent threats. Special Note:
Reports of Rogue Antivirus programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products.
Top

Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs the user that they need to pay money to register the software in order to remove these non-existent threats. InstallationThis rogue is developed and distributed by Korean websites. The rogue can be downloaded and installed from various websites, such as "siren114.com". The rogue is branded and distributed as various names including the following, to avoid detection:

  • One Scan
  • PCTrouble
  • MyVaccine
  • Siren114
  • EnPrivacy
  • The installer drops components as newly created subfolders in the Program Files directory, as in the following examples: %ProgramFiles%\<high-order bit characters>\onescan\
    %ProgramFiles%\<high-order bit characters>\MyVaccine\
    %ProgramFiles%\<high-order bit characters>\PCTrouble\ Payload Connects with remote websitesThis rogue attempts to notify others of its installation on an affected computer by sending data strings via the web browser Internet Explorer, as in the following example: <rogue website>/value.php?strMode=setup&strID=siva&strPC=<MAC address>&strSite=<rogue website> Displays false alertsBelow are examples of screen shots of Rogue:Win32/Onescan illustrating false detections by the rogue:

    Analysis by Tim Liu

    Last update 20 November 2010

     

    TOP