Nice find, Marc57,
Good to give a couple of the resources where this malware is treated:
htxp://malc0de.com/database/index.php?search=KR&CC=on
Go there only if you are security aware enough and know what not to click and better even what not...
and then we will land here:
htxp://malc0de.com/database/index.php?search=vaccinescan_set (for experienced users only)
where we have 5 variants with ThreatExpert reports,
If we do a bit of reconaissance we see the malware site 124. 217. 218. 10 is down, so that makes the
find a bit more irrelevant. But there seems still activity from there:
htxp://down.rprotect.co.kr/rprotect/rpwacherh.dll
trojan fake-alert see:
http://www.virustotal.com/latest-report.html?resource=f920958410f6ebaddfc9a1a4d66db082Which avast naturally detects as Win32:Adware-gen
Do not visit that site, because it also infects with Win32:Virtob
see:
http://www.virustotal.com/file-scan/report.html?id=9f1410c3796ddf9348f7a0bcc85a381b500d639b550918797f2abbd65e47a1d1-1299580539So also neatly detected by good old avast, because we can only detect what is there,
and dead links or malware sites that have been brought down do not count...
But let us see if "vaccinescan_set_etc." resides somewhere else and is alive?
4 alive of 5 found at malware for domain search:
virustotal reports for the live ones are not very, very promishing,
so we see how important Marc57's posting was:
http://www.virustotal.com/file-scan/report.html?id=395feefcaa6ab9a02d489bbe03826e6df1bb6cda20087bc4dfec471341ddfa85-1300866728&
http://www.virustotal.com/file-scan/report.html?id=8212515ad446410f6d47e9eae6eb4906fa9532b5e4952b28d843fd86b5dccfb5-1300853172&
http://www.virustotal.com/file-scan/report.html?id=21b7dfcc8b2572ab78a30e4e7974a60998841c7d8ef7f746310d0813c6cdb445-1300853156&
here detection is slightly better with 10 /42 (23.8%)
but avast misses it altogether:
http://www.virustotal.com/file-scan/report.html?id=bf12984f90b2c8afb8f3b5a5149eabc9c979a61736b2f414d444b6903a4135d3-1301117268So sometimes it is worth delving a bit deeper with our cold renaissance methods,
polonus