PUABundler:Win32/YandexBundled is a detection of potentially unwanted application (PUA) associated with the Russian company Yandex. It is typically distributed as bundled software with repackaged or free programs. While being less dangerous than malware, it can still threaten both the privacy and normal operations of one’s computer.
What is PUABundler:Win32/YandexBundled?
PUABundler:Win32/YandexBundled is a generic detection name used by Windows Defender for potentially unwanted software from the Russian company Yandex. While Yandex and its products are legitimate (putting aside the fact that the company is Russian, which we’ll discuss later), their software distribution methods have led most anti-malware vendors to flag them as potentially unwanted.
Once installed, YandexBundled installs its software and makes changes to system settings and the current browser without the user’s explicit permission. It modifies the browser’s homepage and default search engine. Early versions of Yandex software integrated so deeply into the system that they were almost impossible to remove manually. Now, it is easier to do, but the overall daring behavior of the program, along with unwanted sources, is what forces security vendors into flagging it.
Spreading Methods
There is an official Yandex product page, though it’s rare for users to intentionally download Yandex software. There are several primary methods of spreading PUABundler:Win32/YandexBundled:
Software Bundles. In this case, the program is usually included in the installation package of other software that the user intends to install. This is especially common with cracked repacks of paid software by Russian repackers.
“Recommended Software” in Free Programs. This is one of the few ways to monetize free software and a legal way to distribute potentially unwanted software. The only problem is that sometimes unscrupulous developers hide the checkboxes for installing additional software. As a result, the user cannot opt out of the installation.
Runtime Analysis
As mentioned earlier, one of the big issues with YandexBundled is the way it gets to the system. To demonstrate this, I found a sample that distributes Yandex software. This is a typical example of a bundled installer for various questionable programs. The file itself is called TapSetup.exe; I’ve encountered the same file name in the selection of software from the same website, mostly to cracked applications.
As we can see in the screenshot above, the icing on the cake is the footer of the installation window, where all checkboxes are enabled by default. This means that by clicking “Next,” Yandex software will be installed. Considering that people tend to click through the installation menus, all this junk may get in.
Unwanted Activity & Data Collection
After installation, users are greeted with a browser that promotes Russian services and sites. Moreover, regardless of the browser you use, the unwanted software changes settings and adds its extension to all installed browsers on the system. That is suboptimal at least for being an automated action, that happens without your consent. However, there is one more concerning thing to talk about.
As I mentioned earlier, this is a Russian company, and in Russia, the “Sovereign Internet Law” is in effect. This means that all traffic should be recorded and kept on software providers’ servers. It may be accessed on demand by law enforcement without any additional permits. This is the key concern of having and using any Russian software on your computer. Even though similar speculations revolve around US companies and the FBI, the latter still requires a court order to access the information. And, well, you won’t likely be a point of interest for the feds unless you do something illegal.
Legal State Keylogger
One particular program that installs YandexBundler is Punto Switcher, a software whose developer Yandex acquired some time ago. In short, this program automatically switches the keyboard layout between multiple languages. As you might guess, for such an application to work correctly, it needs to read keystrokes, essentially functioning as a keylogger. Additionally, the application has a journaling feature that saves all entered information to a file. And since the program freely connects to the Internet, there is a high chance of this data ending up on Yandex servers.
Not only does Punto Switcher serve as a legal method for distributing PUABundler:Win32/YandexBundled (see the image below), but it also provides an excellent opportunity to legally monitor users. Although the application offers the option to disable auto-switching, it is unlikely that this would disable keystroke logging.
Technical Analysis
Let’s briefly look at the technical aspects of PUABundler:Win32/YandexBundled to determine how dangerous this unwanted software really is. One of the main concerns is that this software reads user/profile data from web browsers:
c:\Users\user\appdata\local\google\chrome\user data\default\history
c:\Users\user\appdata\local\google\chrome\user data\default\history-journal
c:\Users\user\appdata\local\google\chrome\user data\default\local storage\leveldb\current
c:\Users\user\appdata\local\google\chrome\user data\default\preferences
c:\Users\user\appdata\local\google\chrome\user data\default\top sites
While the program likely gets the profile info to transfer it to Yandex, this is once again the example of unauthorized access. Yandex software simply doesn’t care whether you want this to happen or not, it just does this – and consequently collects all of your data from this profile.
It gets even more concerning when we have a look at registry keys that the program accesses. It methodically goes through entries that contain information about installed programs and geolocation.
\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
While there may be a legitimate reason for the program to get this information, the overall nature of the software makes such sharing questionable.
How to Remove PUABundler:Win32/YandexBundled?
If you encounter PUABundler:Win32/YandexBundled, there are two ways to remove it. The first, and less effective, method is manual removal. The second, and recommended, method is using specialized tools. Since this unwanted software embeds itself deeply in the system, I recommend using the second method. GridinSoft Anti-Malware is an optimal solution, as it not only removes threats with just two clicks but also allows resetting browser settings with one click. This will remove all unwanted extensions and homepage settings.
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.