dropdowndeals.exe

Yontoo Layers Runtime (Drop Down Deals)

Web Deals Interactive LLC

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser. Part of the Injekt brand of unwanted programs. The application dropdowndeals.exe by Web Deals Interactive has been detected as adware by 12 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory.
Publisher:
Yontoo LLC  (signed by Web Deals Interactive LLC)

Product:
Yontoo Layers Runtime (Drop Down Deals)

Description:
Installer

Version:
2011.10.21.1521

MD5:
9ab1274a295e89004e0121806afe8ea5

SHA-1:
8b04b83a104e2bc9c53490179de558e6553a6b87

SHA-256:
c2966b45756ea78ce1497726a26618422714fc92afdf3e4b0f70a4c9e98ff813

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
11/23/2024 2:16:37 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Yontoo
7.1.1

Avira AntiVirus
Adware/Yontoo.C.1
7.11.151.224

Baidu Antivirus
AdWare.Win32.IWSDKFR
4.0.3.1496

Bkav FE
W32.Clodf98.Trojan
1.3.0.4959

Comodo Security
Heur.Suspicious
18356

Dr.Web
Adware.Downware.104
9.0.1.0249

ESET NOD32
Win32/Adware.Yontoo (variant)
8.9859

Fortinet FortiGate
Riskware/Yontoo
9/6/2014

IKARUS anti.virus
AdWare.Yontoo
t3scan.1.6.1.0

NANO AntiVirus
Trojan.Win32.Downware.zhovd
0.28.0.59921

Reason Heuristics
PUP.Installer.WebDealsInteractive.N
14.9.6.21

VIPRE Antivirus
Yontoo
29700

File size:
865.2 KB (885,944 bytes)

Product version:
1.10.01

Copyright:
Copyright (c) 2011 Yontoo LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\dropdowndeals.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
5/9/2011 11:40:57 AM

Valid to:
5/9/2012 11:40:57 AM

Subject:
CN=Web Deals Interactive LLC, O=Web Deals Interactive LLC, L=Carlsbad, S=CA, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
07F91262CBD7E0

File PE Metadata
Compilation timestamp:
3/10/2011 6:55:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:fbfU+dCklzRDN1hfXEQYCXMWaEvfeiI+P/rPXkpED34:QCC4RDNTUh2aEXeiI+H7XTb4

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9938

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

Remove dropdowndeals.exe - Powered by Reason Core Security