Home / malware Adware:MSIL/Yontoo
First posted on 20 November 2013.
Source: MicrosoftAliases :
There are no other names known for Adware:MSIL/Yontoo.
Explanation :
Threat behavior
Installation
Typically, Yontoo arrives with software bundlers that offer free apps or games. We have seen SoftwareBundler:Win32/OneClickDownloader try to install Yontoo (among others):
When run, the installer for Yontoo adds a plugin to Internet Explorer, Firefox, and Chrome.
The installer creates one of these folders:
- %APPDATA% \yontoo\
- %ProgramFiles% \yontoo\
- %ProgramFiles% \yontoo layers runtime\
- %ProgramFiles% \yontoo layers client\
It then installs the Yontoo files as the following:
- YontooLayers.crx
- YontooIECLient.dll
- Y2Desktop.Updater.exe
- sqlite3.exe
- OptChrome.exe
The Chrome plugin might also create the following folder:
- %LOCALAPPDATA% \google\chrome\user data\default\extensions\niapdbllcanepiiimjjndipklodoedlc\
In Chrome and Internet Explorer, the plugin is installed with the name Yontoo, as you can see here:
Behavior
Yontoo displays ads via your browser, both on websites that you vist, and on search page results:
It might also redirect you to other pages, and ask you to fill out a survey to get a "gift" or something similar. These surveys are not associated with the companies that they are advertising, for example, this survey claims to come from Amazon:
Analysis by Geoff McDonald
Symptoms
The following could indicate that you have this program on your PC:
- You have these files:
- YontooLayers.crx
- YontooIECLient.dll
- Y2Desktop.Updater.exe
Last update 20 November 2013
