MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

8.22.2010

Litter Korean rogue lurking III

PCScan is another rogue Koreans that have appeared in recent days, in addition to the two previously showed.

pcscan.kr - 114.108.129.233 - DACOM-NET LG DACOM

The IP also resolves the following domains:
eroza.net
master.to84.net
to84.net
www.tvbaro.net

Setup.exe (a85900759318ea66dc94ba789aae2cfe)
PCScan.exe (665b846b82d959843744d9d3a7b39bdc)
PCScanMon.exe (01cdb8f8955a4df6eebb1aca04d6a43c)
Uninstall.exe (76cd1340bded9d96050df30999f6274d)

Unistaller.exe file simulates the uninstaller antivirus program assumes, however, no effect arises because it’s false.

Check the following pages:
pcscan.kr/request/module_setup.php?p=PCScan&a=type1
pcscan.kr/request/License.txt
pcscan.kr/down/install.exe
down.elineguide.com/down/install.exe

pcscan.kr/down/files.php?strMode=setup&strID=PCScan&arg=type1&strSite=&strPC=000c29ca888c
pcscan.kr/down/PCScan.exe
pcscan.kr/down/PCScanMon.exe
pcscan.kr/down/Uninstall.exe
pcscan.kr/down/PCScanControl.dll

pcscan.kr/value.php?strMode=setup&strID=PCScan&arg=type1&strSite=&strPC=000c29ca888c&url=
pcscan.kr/settle.php?strID=PCScan&arg=type1&strPC=000c29ca888c&strSite=pcscan.kr
pcscan.kr/bill_danal/bill_home/with_bill.php?strID=PCScan&arg=type1&strPC=000c29ca888c&strSite=pcscan.kr
pcscan.kr/consultation.php


Countermeasure

Terminate the processes called PCScan.exe. You can use the ProcessExplorer to view and terminate processes.

Remove PCScan folder (which houses six files) located in C:\Program Files\pcscan\

Delete the system registry pcscan key from HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run, which refers to "C:\Program Files\pcscan\pcscan.exe". You can use the Autoruns to view and delete the key.

Delete the desktop shortcut.

Running updated antivirus

Related information

Litter Korean rogue lurking II
Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

0 comentarios:

Post a Comment