The malware is spread via malicious movie trailer Web sites that prompt users to install a browser plug-in called HD Video Player in order to view a trailer -- but when a user clicks on "Install the plug-in," they're redirected to another site, from which Trojan.Yontoo.1 is downloaded. (That's not the only way it's distributed -- the Trojan is also delivered as a fake media player, a video quality enhancement program, and a download accelerator.)
When the download is launched, the malware asks the user for permission to install "Free Twit Tube." If the user clicks on "Continue," the Yontoo adware plug-in is downloaded and installed.
"While a user surfs the Web, the plugin transmits information about the loaded pages to a remote server," the researchers write. "In return, it gets a file that enables the Trojan to embed third-party code into pages visited by the user."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
If you've been targeted, CNET News' Topher Kessler offers detailed instructions how how to remove the Trojan from your system.
While this version targets Mac users, the researchers also note that a similar scheme targets Windows PCs as well.