Win32 Candyopen Potentially Unwanted Program

Win32/Candyopen is the name assigned to a piece of software that antivirus suites, including Microsoft's own Windows Defender, classify as a potentially unwanted program.

Potentially unwanted programs or PUPs occupy a gray area between legitimate software and full-on destructive or more damaging and dangerous malware. While a PUP will not wipe your hard drive or encrypt your files and ask for a ransom payment, it will still perform enough tasks that are undesirable that Windows Defender would flag it as something to quarantine or remove from your system.

The way potentially unwanted applications such as Win32/Candyopen end up on your system is usually through bundle installers that contain several pieces of software, with one or more potentially unwanted programs packaged inside the same installer. Bundle installers are often distributed through free download websites that are poorly curated and packages carrying PUPs manage to sneak in.

The Candyopen PUP was primarily distributed in the US and Russia, followed closely by Brazil and Korea, according to data gathered by Microsoft Defender.

Several URLs that carried Candyopen at some point in time include download dot freemake dot net, magicaljellybean dot com, and cdisplayex dot com.

To distribute the Candyopen PUP to as many targets as possible, the file containing Candyopen has been discovered under a number of different names as well, in an effort to mask the true contents and present it as a desirable application. Candyopen has been spotted posing as an installer of uTorrent, CDex, a fake YouTube downloader application, and an audio file converter, among others.

Once installed, Candyopen behaves like most browser hijackers - it would change your browser's default pages and search engine, then start monitoring network traffic so as to be able to inject advertising into pages you visit that should not be there. All of those behaviors make Candyopen a potentially unwanted program and are the reason why Windows Defender intercepts and blocks Candyopen from executing on your system.