Files that Malwarebytes Anti-Malware (MBAM) detect as OneClickDownloader are what we call bundlers. We have defined bundlers as a blend of programs that are bunched up together to be installed with a main program, which is usually what users desire to install onto their systems. These additional programs are other unwanted software, such as adware and toolbars.
Such bundlers are normally free and can be downloaded from third-party sites. Examples of bundlers we already profiled on the Malwarebytes Labs blog are Outbrowse, SofTango, and InstalleRex to name a few.
We retrieved a sample of OneClickDownloader that markets itself as a YouTube video downloader. Once installed, OneClickDownloader initially displays the following user interface wizard:
Clicking the green ‘Next’ button leads to this window:
Download Youtube videos at lightning fast speed">
Supports Windows XP vista and 7 (x86, X64). Easily downloads as MP3, aac, mpeg, flv and HD formats. Includes Buzzdock: the web’s best search enhancer. Ad supported search results modifier, ezlooker: Browse Craigslist faster. Share posts with friends. PageRage: Customize your Facebook profile with 100’s of free layouts. BannerGadgets: Replace Ads with useful gadgets like clocks and pictures. As you can see, apart from the downloader (the main program), it also offers to install other software that users may be interested in checking out.
The shortcut links on the interfaces point to ww1[DOT]1clickdownloader[DOT]com, which is currently a parked domain. As such, users can’t find the “Terms of Use” or “Privacy Policy” pages. The said URL is also on their Facebook page. Quite notably, it hasn’t been updated since the second half of 2012.
We did a little digging in the archive and found what 1clickdownloader[DOT]com looks like several years ago and here’s what we found:
Moving on: Clicking the second ‘Next’ button leads to another window with more offers:
Iminent IM & Web apps in a click">
Iminent gives you cool new ways to express yourself in your Facebook status, chat, wall posts and messages! Spice up your conversations with awesome smileys, winks and symbols. This OneClickDownloader sample (detected as PUP.Optional.OneClickDownloader) installs files that we detect as PUP.Optional.Iminent, PUP.Optional.Yontoo, and PUP.Optional.SweetIM.
Another sample of OneClickDownloader we found is a program called TornTV, which has marketed itself as a downloader of for shows, movies, and sports events aired on TV. Once installed, it shows an interface similar to that of 1Click Downloader’s:
Such a similarity is usually an indicator that these bundles generally function the same way and/or come from one family.
We weren’t surprised to find out that the TornTV site is also a parked domain, so we pulled its old site from the archives:
Downloaders are popular among internet users, and videos are just one of the many shareable goods (images, music, books, comics, etc.) with a vast market of collectors. Unfortunately, some software developers who cater to these markets push out products that are “free” but actually comes with strings attached.
If you want to remove OneClickDownloader from your systems, refer to this Malwarebytes forum post.
Relevant hash values:
- MD5 015bc8466ef29cdbd3c8d5b9b06bb444
- MD5 c7a6d35d78c8473b2e674012c9b06106
More PUP Friday post(s):
- PUP Friday: RelevantKnowledge
- PUP Friday: Bubbling Over
- Adware PUP Dotdo FastInternet Blocks Security Related Domains
- Free YouTube Downloader PUP is just another Tech Support Scam
- Yontoo: PUPs with two faces
Jovi Umawing
