Users are often duped into downloading Yontoo after landing on a movie trailer page that prompts them to download & install a [missing] browser plugin, media player, video quality enhancement program or download accelerator.
When launched, Yontoo will display a dialog window to the victim asking them to install a program called “Free Twit Tube” –
However, Yontoo proceeds to download and install adware plugins for Safari, Chrome and Firefox instead. As users surf the web, the plugins relay browsing data to a remote server, which then returns a file that enables the Trojan to inject ads (via third-party code) into webpages loaded in the affected browser.
So, for example, when a user visits apple.com on an infected machine, they may see something like this:
While Dr. Web’s write-up focuses on the attack targeting OS X users, it is important to note that Windows users are also subject to Yontoo infections, although Symantec classifies Yontoo as a “potentially unwanted app” vs. Trojan (an app that claims to be one thing when it’s another).
Either way, the ol’ “missing plugin” bit is rather old, so don’t fall for it. Be careful what you install on your computer, and always read the installation dialogs.
Removing Yontoo from Your PC
If you’ve already been tagged by the Yontoo Trojan, you can perform a full system scan using one of the following antivirus programs to remove the infection:
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.