Nume:DR/OneStep.A
Descoperit pe data de:22/07/2007
Tip:Dropper
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut
Fisier static:Nu
Marime:300.000 Bytes
Versiune VDF:6.39.00.176 - Sunday, July 22, 2007
Versiune IVDF:6.39.00.176 - Sunday, July 22, 2007

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Symantec: Adware.WhenUSearchBar
   •  Kaspersky: not-a-virus:AdWare.Win32.OneStep.c
   •  Panda: Adware/SaveNow
   •  Bitdefender: Adware.OneStep.A


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere
   • Creeaza fisiere malware
   • Modificari in registri

 Fisiere  Creeaza urmatorul director:
   • %PROGRAM FILES%\OneStepSearch\



Sunt create fisierele:

– Fisiere inofensive:
   • %PROGRAM FILES%\OneStepSearch\uninstall.exe
   • %PROGRAM FILES%\OneStepSearch\readme.html
   • %PROGRAM FILES%\OneStepSearch\home.js

– Fisiere temporare care pot fi sterse dupa aceea:
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\System.dll
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\logo.bmp
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\infoPage.ini
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\onestep.dll
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\onestep.exe
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\osopt.exe
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\readme.html
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\home.js
   • %TEMPDIR%\%sir de 4 caractere aleatoare%.tmp\uninstall.exe

– %PROGRAM FILES%\OneStepSearch\osopt.exe Detectat ca: ADSPY/OneStep.C

– %PROGRAM FILES%\OneStepSearch\onestep.exe Detectat ca: ADSPY/OneStep.B

– %PROGRAM FILES%\OneStepSearch\onestep.dll Detectat ca: ADSPY/OneStep.A.1

 Registrii sistemului Se adauga in registrii sistemului:

– HKLM\Software\OneStepSearch\
   • "TempInstallDir"="%PROGRAM FILES%\OneStepSearch"

Description inserted by Thomas Wegele on Monday, February 25, 2008
Description updated by Thomas Wegele on Monday, February 25, 2008

Back . . . .