Home / malwarePDF  

Adware:Win32/OneTab


First posted on 06 February 2013.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/OneTab.

Explanation :



Adware:Win32/OneTab is a browser add-on that displays advertisements, and places advertisements and hyperlinks into webpages.



Installation

As part of its installation process, Adware:Win32/OneTab creates the following files in the %APPDATA%\ONETAB folder:

  • OneTab.crx
  • OneTab.dll
  • system.dll
  • uninstall.exe


Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Documents and Settings\<user>\Application Data"; and for XP, Vista, 7, and W8 it is "C:\Users\<user>\AppData\Roaming".

When Adware:Win32/OneTab is installed on your computer, it makes the following changes to the registry:

In subkey: HKLM\SOFTWARE\Google\Chrome\Extensions\<random characters> for example, "cbnocfnjkmlljbfgpkbhefnlpbiemhif"
Sets value: "path"
With data: "c:\documents and settings\administrator\application data\onetab\onetab.crx"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16ADEA98-D215-4F51-80AF-5E5ED660B9C0}
Sets value: "(default)"
With data: "onetab add-on"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{16ADEA98-D215-4F51-80AF-5E5ED660B9C0}\InProcServer32
Sets value: "(default)"
With data: "c:\documents and settings\administrator\application data\onetab\onetab.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{16ADEA98-D215-4F51-80AF-5E5ED660B9C0}
Sets value: "(default)"
With data: "onetab add-on"

It also creates an uninstaller by making the following changes to the registry:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneTab
Sets value: "DisplayName"
With data: "onetab"

Adware:Win32/OneTab installs itself as a BHO (browser helper object), which can be seen in Internet Explorer's Manage Add-ons window, as in the following screenshot:

Execution

Once installed, Adware:Win32/OneTab displays out-of-context advertisements, and inserts hyperlinks in your Internet browser, as shown in the following images:







Analysis by Patrick Estavillo

Last update 06 February 2013

 

TOP

Malware :