Dr. Web

A new Mac OS X Trojan is making the rounds, installing an adware plug-in that renders ads on Web pages to generate revenue for its author.

Dubbed Trojan.Yontoo.1, it is the most prominent of an increasing number of adware Trojans making the rounds, according to Russian antivirus company Dr. Web, the same company that discovered the Flashback virus last year.

"Criminals profit from affiliate ad network programs, and their interest in users of Apple-compatible computers grows day by day," Dr. Web said yesterday in a statement. "Recently discovered, Trojan.Yontoo.1 can serve as a striking example of such software."

The Trojan has a number of avenues for installation, perhaps the most interesting of which is a series of specially crafted movie trailers that include a dialog box that imitates a common prompt for plug-in installation. Once the "install plug-in" button is clicked, victims are redirected to a site where the Trojan is downloaded.

Trojan.Yontoo.1 can also be downloaded as a media player, a video quality enhancement program, or a download accelerator, Dr. Web said.

Once launched, the Trojan generates a dialog box that offers to install Free Twit Tube. After users presses "continue," the Trojan downloads the Yontoo adware plug-in for Safari, Chrome, and Firefox.

The plug-in transmits information about the pages users visit and embeds third-party code into those pages.

The example below shows how an infected system renders Apple.com with a DropDownDeals ad:

Dr. Web

While this Trojan targets Mac OS X users, Dr. Web notes that a similar Trojan is also spreading that targets Windows systems.

Clarification at 6:10 a.m. PT March 21: The attribution in the caption has been removed. The image of the plug-in ruse is an example provided by anti-virus company Dr. Web.