Virus:DR/OneStep.A
Date discovered:22/07/2007
Type:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:No
File size:300.000 Bytes
VDF version:6.39.00.176 - Sunday, July 22, 2007
IVDF version:6.39.00.176 - Sunday, July 22, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Adware.WhenUSearchBar
   •  Kaspersky: not-a-virus:AdWare.Win32.OneStep.c
   •  Panda: Adware/SaveNow
   •  Bitdefender: Adware.OneStep.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files
   • Registry modification

 Files  It creates the following directory:
   • %PROGRAM FILES%\OneStepSearch\



The following files are created:

– Non malicious files:
   • %PROGRAM FILES%\OneStepSearch\uninstall.exe
   • %PROGRAM FILES%\OneStepSearch\readme.html
   • %PROGRAM FILES%\OneStepSearch\home.js

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\%four-digit random character string%.tmp\System.dll
   • %TEMPDIR%\%four-digit random character string%.tmp\logo.bmp
   • %TEMPDIR%\%four-digit random character string%.tmp\infoPage.ini
   • %TEMPDIR%\%four-digit random character string%.tmp\onestep.dll
   • %TEMPDIR%\%four-digit random character string%.tmp\onestep.exe
   • %TEMPDIR%\%four-digit random character string%.tmp\osopt.exe
   • %TEMPDIR%\%four-digit random character string%.tmp\readme.html
   • %TEMPDIR%\%four-digit random character string%.tmp\home.js
   • %TEMPDIR%\%four-digit random character string%.tmp\uninstall.exe

%PROGRAM FILES%\OneStepSearch\osopt.exe Detected as: ADSPY/OneStep.C

%PROGRAM FILES%\OneStepSearch\onestep.exe Detected as: ADSPY/OneStep.B

%PROGRAM FILES%\OneStepSearch\onestep.dll Detected as: ADSPY/OneStep.A.1

 Registry The following registry key is added:

– HKLM\Software\OneStepSearch\
   • "TempInstallDir"="%PROGRAM FILES%\OneStepSearch"

Description inserted by Thomas Wegele on Monday, February 25, 2008
Description updated by Thomas Wegele on Monday, February 25, 2008

Back . . . .