The good news for users of Internet Explorer 8 and newer versions is that the download is blocked by the SmartScreen Filter that is enabled by default. Win32/OneScan is branded and distributed using over 125 different names including the following examples, to avoid detection: alphavaccine, anycop, bestvaccine, bizvaccine, Bootcare, checkvaccine, cleanvaccine, coolspeed, defencevaccine, directvaccine, diskvaccine , doublevaccine, DoubleVaccine, easyboan, easyvaccine, EnPrivacy, everyclean, everyguard, EveryGuard, fastcure, InfoDoctor, internetspeed, mastervaccine, MyKeeper, mypcclean, One Scan, onescan, PCTrouble, proguard, realsecurity, SmartVaccine, speedsolution, UtilKorea, windowcure, windowguard, windowvaccine , WindowVaccine, among others.
The other threat family that has been contributing to Korea's extreme malware infection rate is Win32/Pluzoks. Win32/Pluzoks is a Trojan Downloader/Dropper. I consider this category of threats to be among the most severe because once a system has been compromised, these threats typically give attackers control of the system, which can enable them to enlist the compromised system into botnets.
Win32/Pluzoks is a Trojan that silently downloads and installs other arbitrary files without user consent and is typically installed by other malware. Win32/Pluzoks may contact a remote host to download updates of the Trojan. Win32/Pluzoks was found on 6.4 percent of systems that were infected with malware in Korea in 4Q12.
Typically I find that locations that have high malware infection rates also have elevated levels of malicious websites. Attackers often use compromised systems to host malicious websites. From the data, it appears that in 4Q12, malware hosting sites in Korea were well above the worldwide average and the highest among most locations in Asia, including Pakistan. But the level of malware hosting sites in Korea was not the highest in the world in Q4 2012; locations like Brazil (31.97), Ukraine (26.78), Vietnam (25.11), and others had significantly higher levels compared to Korea.
Call to Action for Korea:
- Interestingly, the percentage of systems in Korea that were not protected by up-to-date real-time anti-malware software in Q4 2012 was 21 percent. This is better than the worldwide average of 24 percent. Given this, one prudent course of action is to confirm that Win32/OneScan is being detected/blocked/disinfected by the anti-malware software installed on your systems in Korea. If your anti-virus solution does not have detection for this threat, ask your anti-virus vendor to add detection for it to their product. If detection isn't added for Win32/OneScan, it would be prudent to use an alternative solution that does have detection for this malware.
- There are a lot of systems in Korea still running Windows XP. Support for Windows XP ends 8 April 2014. I recently wrote an article on The Risk of Running Windows XP After Support Ends April 2014. There are so many Windows XP systems in Korea found infected with Win32/OneScan, it elevates OneScan as the most detected threat on Windows XP globally. Migrating to a modern operating system like Windows 7 or Windows 8 is recommended in order to avoid these risks.
Sign up for CIO Asia eNewsletters.