Win32/Adware.Yontoo [Threat Name]

Detection created	2011-04-15
World activity peak	2013-08-17 (4.88 %)

Short description

Win32/Adware.Yontoo is an adware - an application designed for delivery of unsolicited advertisements. The file is run-time compressed using NSIS .

Installation

The adware is usually bundled within installation packages of various legitimate software.

When executed, the adware creates the following files:

%temp%\ns%variable1%.tmp\drpdndls.exe (646752 B, Win32/Adware.Yontoo)
%temp%\%variable2%\_Setupx.dll (320512 B, Win32/Adware.Yontoo)
%temp%\%variable2%\_Setup.dll (256512 B)
%temp%\%variable2%\Setup.ico (4846 B)
%temp%\drpdndls-%variable3%.exe (228016 B)
%temp%\%variable4%.dat (89869 B)
%temp%\7za.exe (536064 B)
%temp%\%random%\x64\regsvr32.exe" (7168 B)
%temp%\%random%\x86\regsvr32.exe" (6656 B)
%temp%\drpdndls-%variable5%.log
%temp%\YontooTix%variable6%.log
%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll (320512 B, Win32/Adware.Yontoo)
%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe (228016 B)
%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll (256512 B)
%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat (89869 B)
%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico (4846 B)
%programfiles%\Yontoo Layers Client\YontooIEClient.dll (191488 B, Win32/Adware.Yontoo.A)

It downloads the other part of the infiltration.

The following files are dropped:

%temp%\YontooFFClient.xpi
%temp%\YontooLayers.crx
%temp%\YontooLayers.pem

The following Registry entries are created:

[HKEY_CURRENT_USER\Software\Classes\DRPDD\CLSID]
- "(Default)" = "{%variable7%}"
[HKEY_CLASSES_ROOT\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}]
- "(Default)" = "%variable8%"
[HKEY_CLASSES_ROOT\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
- "(Default)" = "YontooIEClient"
[HKEY_CLASSES_ROOT\AppID\YontooIEClient.DLL]
- "AppID" = "{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"
[HKEY_CLASSES_ROOT\YontooIEClient.Api.1]
- "(Default)" = "Yontoo Layers Api"
[HKEY_CLASSES_ROOT\YontooIEClient.Api.1\CLSID]
- "(Default)" = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"
[HKEY_CLASSES_ROOT\YontooIEClient.Api]
- "(Default)" = "Yontoo Layers Api"
[HKEY_CLASSES_ROOT\YontooIEClient.Api\CLSID]
- "(Default)" = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"
[HKEY_CLASSES_ROOT\YontooIEClient.Api]
- "CurVer" = "YontooIEClient.Api.1"
[HKEY_CLASSES_ROOT\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
- "(Default)" = "Yontoo Layers Api"
[HKEY_CLASSES_ROOT\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID]
- "(Default)" = "YontooIEClient.Api.1"
[HKEY_CLASSES_ROOT\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID]
- "(Default)" = "YontooIEClient.Api"
[HKEY_CLASSES_ROOT\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32]
- "(Default)" = "%programfiles%\Yontoo Layers Client\YontooIEClient.dll"
- "ThreadingModel" = "Apartment"
[HKEY_CLASSES_ROOT\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\TypeLib]
- "(Default)" = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"
[HKEY_CLASSES_ROOT\YontooIEClient.Layers]
- "(Default)" = "Yontoo Layers"
[HKEY_CLASSES_ROOT\YontooIEClient.Layers\CLSID]
- "(Default)" = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"
[HKEY_CLASSES_ROOT\YontooIEClient.Layers\CurVer]
- "(Default)" = "YontooIEClient.Layers.1"
[HKEY_CLASSES_ROOT\YontooIEClient.Layers.1]
- "(Default)" = "Yontoo Layers"
[HKEY_CLASSES_ROOT\YontooIEClient.Layers.1\CLSID]
- "(Default)" = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"
[HKEY_CLASSES_ROOT\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
- "(Default)" = "Yontoo Layers"
[HKEY_CLASSES_ROOT\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID]
- "(Default)" = "YontooIEClient.Layers.1"
[HKEY_CLASSES_ROOT\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\VersionIndependentProgID]
- "(Default)" = "YontooIEClient.Layers"
[HKEY_CLASSES_ROOT\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32]
- "(Default)" = "%programfiles%\Yontoo Layers Client\YontooIEClient.dll"
- "ThreadingModel" = "Apartment"
[HKEY_CLASSES_ROOT\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\TypeLib]
- "(Default)" = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
- "(Default)" = "Yontoo Layers"
- "NoExplorer" = 1
[HKEY_CLASSES_ROOT\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0]
- "(Default)" = "YontooIEClient 1.0 Type Library"
[HKEY_CLASSES_ROOT\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\FLAGS]
- "(Default)" = "0"
[HKEY_CLASSES_ROOT\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\0\win32]
- "(Default)" = "%programfiles%\Yontoo Layers Client\YontooIEClient.dll"
[HKEY_CLASSES_ROOT\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\HELPDIR]
- "(Default)" = "%programfiles%\Yontoo Layers Client\YontooIEClient.dll"
[HKEY_CLASSES_ROOT\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
- "(Default)" = "ILayers"
- "NumMethods" = "7"
[HKEY_CLASSES_ROOT\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid]
- "(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32]
- "(Default)" = "{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"
[HKEY_CLASSES_ROOT\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib]
- "(Default)" = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"
- "Version" = "1.0"
[HKEY_CLASSES_ROOT\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
- "(Default)" = "IApi"
- "NumMethods" = "16"
[HKEY_CLASSES_ROOT\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid]
- "(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32]
- "(Default)" = "{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"
[HKEY_CLASSES_ROOT\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib]
- "(Default)" = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"
- "Version" = "1.0"
[HKEY_CLASSES_ROOT\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32]
- "(Default)" = "%programfiles%\Yontoo Layers Client\YontooIEClient.dll"
- "ThreadingModel" = "Both"
[HKEY_CLASSES_ROOT\CLSID/{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
- "(Default)" = "PSFactoryBuffer"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
- "UninstallString" = "%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe /remove /q0"
- "QuietUninstallString" = "%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe /remove /q"
- "ModifyPath" = "%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe /q0"
- "Version" = 17432577
- "VersionMajor" = 1
- "VersionMinor" = 10
- "EstimatedSize" = 711
- "Language" = 1033
- "TSAware" = 1
- "TinFolder" = "%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"
- "TinVersion" = "5021"
- "InstallDate" = "%variable9%"
- "InstallLocation" = "%programfiles%\Yontoo Layers Client"
- "InstallSource" = "%temp%\ns%variable1%.tmp"
- "DisplayIcon" = "%appdata%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico"
- "DisplayName" = "Yontoo Layers Client 1.10.01"
- "DisplayVersion" = "1.10.01"
- "Publisher" = "Yontoo Technology, Inc."
- "URLInfoAbout" = "http://www.yontoo.com"
- "Contact" = "support@yontoo.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer/Components/{3E454121-D681-4BBE-AC01-9D4DC40D2A04}]
- "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer/Components/{4E4AE263-5CE6-4307-84B6-B9BFF5729A44}]
- "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer/Components/{9307081B-7444-494C-8CF6-2FA7C0E92BFB}]
- "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer/Components/{9D9785E5-3424-40B6-A287-BA143AD53109}]
- "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer/Components/{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}]
- "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer/Products/{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
- "(Default)" = "Yontoo Layers Client"
- "TizPath" = "%temp%\ns%variable1%.tmp\drpdndls.exe"

This way the adware injects its code into specific processes.

A string with variable content is used instead of %varaible1-9% .

Information stealing

The adware collects sensitive information when the user browses certain web sites.

The adware collects information related to the following applications:

Internet Explorer
Mozilla Firefox
Google Chrome

The following information is collected:

URLs visited

The adware attempts to send gathered information to a remote machine.

Other information

The adware acquires data and commands from a remote computer or the Internet.

The adware contains a list of (6) URLs. The HTTP protocol is used.

The adware program is designed to deliver various advertisements to the user's systems.

It can execute the following operations:

modify website content

The adware may execute the following commands:

%temp%\%random%\x86\regsvr32.exe "C:\Program Files\Yontoo Layers Client\YontooIEClient.dll" /i:`` /r
%temp%\%random%\x64\regsvr32.exe "C:\Program Files\Yontoo Layers Client\YontooIEClient.dll" /i:`` /r
%temp%\7za.exe x "%temp%\YontooFFClient.xpi" -o "%appdata%\Mozilla\Firefox\Profiles\%profile%.default\extensions\plugin@yontoo.com" * -r -y -aoa
%temp%\7za.exe x "%temp%\YontooLayers.crx" -o "%temp%\YontooLayers" * -r -y -aoa
%appdata%\Google\Chrome\Application\chrome.exe --pack-extension="%temp%\YontooLayers" --pack-extension-key="%temp%\YontooLayers.pem" --no-message-box

Threat Variants with Description

Threat Variant Name	Date Added	Threat Type
Win32/Adware.Yontoo	2011-06-16	adware