Win32/Adware.Yontoo [Threat Name] go to Threat

Win32/Adware.Yontoo [Threat Variant Name]

Category adware
Size 685375 B
Short description

Win32/Adware.Yontoo is an adware - an application designed for delivery of unsolicited advertisements. The file is run-time compressed using NSIS .

Installation

The adware is usually bundled within installation packages of various legitimate software.


When executed, the adware creates the following files:

  • %temp%\­ns%variable1%.tmp\­drpdndls.exe (646752 B, Win32/Adware.Yontoo)
  • %temp%\­%variable2%\­_Setupx.dll (320512 B, Win32/Adware.Yontoo)
  • %temp%\­%variable2%\­_Setup.dll (256512 B)
  • %temp%\­%variable2%\­Setup.ico (4846 B)
  • %temp%\­drpdndls-%variable3%.exe (228016 B)
  • %temp%\­%variable4%.dat (89869 B)
  • %temp%\­7za.exe (536064 B)
  • %temp%\­%random%\­x64\­regsvr32.exe" (7168 B)
  • %temp%\­%random%\­x86\­regsvr32.exe" (6656 B)
  • %temp%\­drpdndls-%variable5%.log
  • %temp%\­YontooTix%variable6%.log
  • %appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­_Setupx.dll (320512 B, Win32/Adware.Yontoo)
  • %appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­Setup.exe (228016 B)
  • %appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­_Setup.dll (256512 B)
  • %appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­Setup.dat (89869 B)
  • %appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­Setup.ico (4846 B)
  • %programfiles%\­Yontoo Layers Client\­YontooIEClient.dll (191488 B, Win32/Adware.Yontoo.A)

It downloads the other part of the infiltration.


The following files are dropped:

  • %temp%\­YontooFFClient.xpi
  • %temp%\­YontooLayers.crx
  • %temp%\­YontooLayers.pem

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Classes\­DRPDD\­CLSID]
    • "(Default)" = "{%variable7%}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{FE9271F2-6EFD-44b0-A826-84C829536E93}]
    • "(Default)" = "%variable8%"
  • [HKEY_CLASSES_ROOT\­AppID\­{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
    • "(Default)" = "YontooIEClient"
  • [HKEY_CLASSES_ROOT\­AppID\­YontooIEClient.DLL]
    • "AppID"  = "{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Api.1]
    • "(Default)" = "Yontoo Layers Api"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Api.1\­CLSID]
    • "(Default)" = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Api]
    • "(Default)" = "Yontoo Layers Api"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Api\­CLSID]
    • "(Default)" = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Api]
    • "CurVer" = "YontooIEClient.Api.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
    • "(Default)" = "Yontoo Layers Api"
  • [HKEY_CLASSES_ROOT\­CLSID\­{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\­ProgID]
    • "(Default)" = "YontooIEClient.Api.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\­VersionIndependentProgID]
    • "(Default)" = "YontooIEClient.Api"
  • [HKEY_CLASSES_ROOT\­CLSID\­{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\­InprocServer32]
    • "(Default)" = "%programfiles%\­Yontoo Layers Client\­YontooIEClient.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­CLSID\­{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\­TypeLib]
    • "(Default)" = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Layers]
    • "(Default)" = "Yontoo Layers"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Layers\­CLSID]
    • "(Default)" = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Layers\­CurVer]
    • "(Default)" = "YontooIEClient.Layers.1"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Layers.1]
    • "(Default)" = "Yontoo Layers"
  • [HKEY_CLASSES_ROOT\­YontooIEClient.Layers.1\­CLSID]
    • "(Default)" = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    • "(Default)" = "Yontoo Layers"
  • [HKEY_CLASSES_ROOT\­CLSID\­{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\­ProgID]
    • "(Default)" = "YontooIEClient.Layers.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\­VersionIndependentProgID]
    • "(Default)" = "YontooIEClient.Layers"
  • [HKEY_CLASSES_ROOT\­CLSID\­{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\­InprocServer32]
    • "(Default)" = "%programfiles%\­Yontoo Layers Client\­YontooIEClient.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­CLSID\­{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\­TypeLib]
    • "(Default)" = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    • "(Default)" = "Yontoo Layers"
    • "NoExplorer"  = 1
  • [HKEY_CLASSES_ROOT\­TypeLib\­{D372567D-67C1-4B29-B3F0-159B52B3E967}\­1.0]
    • "(Default)" = "YontooIEClient 1.0 Type Library"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{D372567D-67C1-4B29-B3F0-159B52B3E967}\­1.0\­FLAGS]
    • "(Default)" = "0"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{D372567D-67C1-4B29-B3F0-159B52B3E967}\­1.0\­0\­win32]
    • "(Default)" = "%programfiles%\­Yontoo Layers Client\­YontooIEClient.dll"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{D372567D-67C1-4B29-B3F0-159B52B3E967}\­1.0\­HELPDIR]
    • "(Default)" = "%programfiles%\­Yontoo Layers Client\­YontooIEClient.dll"
  • [HKEY_CLASSES_ROOT\­Interface\­{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
    • "(Default)" = "ILayers"
    • "NumMethods" = "7"
  • [HKEY_CLASSES_ROOT\­Interface\­{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\­ProxyStubClsid32]
    • "(Default)" = "{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"
  • [HKEY_CLASSES_ROOT\­Interface\­{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\­TypeLib]
    • "(Default)" = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"
    • "Version" = "1.0"
  • [HKEY_CLASSES_ROOT\­Interface\­{1AD27395-1659-4DFF-A319-2CFA243861A5}]
    • "(Default)" = "IApi"
    • "NumMethods" = "16"
  • [HKEY_CLASSES_ROOT\­Interface\­{1AD27395-1659-4DFF-A319-2CFA243861A5}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{1AD27395-1659-4DFF-A319-2CFA243861A5}\­ProxyStubClsid32]
    • "(Default)" = "{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"
  • [HKEY_CLASSES_ROOT\­Interface\­{1AD27395-1659-4DFF-A319-2CFA243861A5}\­TypeLib]
    • "(Default)" = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"
    • "Version" = "1.0"
  • [HKEY_CLASSES_ROOT\­CLSID\­{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\­InProcServer32]
    • "(Default)" = "%programfiles%\­Yontoo Layers Client\­YontooIEClient.dll"
    • "ThreadingModel" = "Both"
  • [HKEY_CLASSES_ROOT\­CLSID/{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
    • "(Default)" = "PSFactoryBuffer"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
    • "UninstallString" = "%appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­Setup.exe /remove /q0"
    • "QuietUninstallString" = "%appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­Setup.exe /remove /q"
    • "ModifyPath" = "%appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­Setup.exe /q0"
    • "Version" = 17432577
    • "VersionMajor" = 1
    • "VersionMinor" = 10
    • "EstimatedSize" = 711
    • "Language" = 1033
    • "TSAware" = 1
    • "TinFolder" = "%appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"
    • "TinVersion" = "5021"
    • "InstallDate" = "%variable9%"
    • "InstallLocation" = "%programfiles%\­Yontoo Layers Client"
    • "InstallSource" = "%temp%\­ns%variable1%.tmp"
    • "DisplayIcon" = "%appdata%\­Tarma Installer\­{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\­Setup.ico"
    • "DisplayName" = "Yontoo Layers Client 1.10.01"
    • "DisplayVersion" = "1.10.01"
    • "Publisher" = "Yontoo Technology, Inc."
    • "URLInfoAbout" = "http://www.yontoo.com"
    • "Contact" = "support@yontoo.com"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Tarma Installer/Components/{3E454121-D681-4BBE-AC01-9D4DC40D2A04}]
    • "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
    • HKEY_LOCAL_MACHINE\­SOFTWARE\­Tarma Installer/Components/{4E4AE263-5CE6-4307-84B6-B9BFF5729A44}]
    • "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
    • HKEY_LOCAL_MACHINE\­SOFTWARE\­Tarma Installer/Components/{9307081B-7444-494C-8CF6-2FA7C0E92BFB}]
    • "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
    • HKEY_LOCAL_MACHINE\­SOFTWARE\­Tarma Installer/Components/{9D9785E5-3424-40B6-A287-BA143AD53109}]
    • "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
    • HKEY_LOCAL_MACHINE\­SOFTWARE\­Tarma Installer/Components/{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}]
    • "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
    • HKEY_LOCAL_MACHINE\­SOFTWARE\­Tarma Installer/Products/{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
    • "(Default)" =  "Yontoo Layers Client"
    • "TizPath" = "%temp%\­ns%variable1%.tmp\­drpdndls.exe"

This way the adware injects its code into specific processes.


A string with variable content is used instead of %varaible1-9% .

Information stealing

The adware collects sensitive information when the user browses certain web sites.


The adware collects information related to the following applications:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome

The following information is collected:

  • URLs visited

The adware attempts to send gathered information to a remote machine.

Other information

The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of (6) URLs. The HTTP protocol is used.


The adware program is designed to deliver various advertisements to the user's systems.


It can execute the following operations:

  • modify website content

The adware may execute the following commands:

  • %temp%\­%random%\­x86\­regsvr32.exe "C:\­Program Files\­Yontoo Layers Client\­YontooIEClient.dll" /i:`` /r
  • %temp%\­%random%\­x64\­regsvr32.exe "C:\­Program Files\­Yontoo Layers Client\­YontooIEClient.dll" /i:`` /r
  • %temp%\­7za.exe x "%temp%\­YontooFFClient.xpi" -o "%appdata%\­Mozilla\­Firefox\­Profiles\­%profile%.default\­extensions\­plugin@yontoo.com" * -r -y -aoa
  • %temp%\­7za.exe x "%temp%\­YontooLayers.crx" -o "%temp%\­YontooLayers" * -r -y -aoa
  • %appdata%\­Google\­Chrome\­Application\­chrome.exe --pack-extension="%temp%\­YontooLayers" --pack-extension-key="%temp%\­YontooLayers.pem" --no-message-box

Please enable Javascript to ensure correct displaying of this content and refresh this page.