Virus:DR/OneStep.C.137
Date discovered:05/03/2008
Type:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:271.042 Bytes
MD5 checksum:a920af7bc6b6b8824c52a6b6ae533321
IVDF version:7.00.02.234 - Wednesday, March 5, 2008

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops a malicious file
   • Registry modification

 Files The following files are created:

– Non malicious files:
   • %PROGRAM FILES%\NewDotNet\readme.html
   • %PROGRAM FILES%\NewDotNet\uninstall.exe
   • %PROGRAM FILES%\NewDotNet\nnrun.exe

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\%four-digit random character string%.tmp\nncore.dll
   • %TEMPDIR%\%four-digit random character string%.tmp\nnrun.exe
   • %TEMPDIR%\%four-digit random character string%.tmp\readme.html
   • %TEMPDIR%\%four-digit random character string%.tmp\uninstall.exe

%PROGRAM FILES%\NewDotNet\nncore.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/NewDotNet.M

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Wednesday, April 30, 2008
Description updated by Thomas Wegele on Wednesday, April 30, 2008

Back . . . .