OSX/Adware.Yontoo [Threat Name] go to Threat

OSX/Adware.Yontoo.A [Threat Variant Name]

Category adware
Size 418064 B
Detection created Feb 27, 2013
Signature database version 10622
Aliases Trojan.OSX.Yontoo.a (Kaspersky)
  Yontoo.B (Symantec)
  MAC.OSX.Trojan.Yontoo.A (F-Secure)
Short description

OSX/Adware.Yontoo.A is a adware used for delivery of unsolicited advertisements.

Installation

The adware is a malicious Mozilla Firefox, Google Chrome, Safari extension/plugin.


The adware contains a URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • /private/var/tmp/3dpartyinstaller.zip

The adware installs additional files into the folders belonging to the following applications:

  • Firefox
  • Safari
  • Chrome

The adware creates the following files:

  • /Users/%username%/Library/Application Support/FireFox/Profiles/%profilname%/extensions/plugin@yontoo.com.xpi
  • /Users/%username%/Library/Application Support/Google/Chrome/YontooLayers.crx
  • /Users/%username%/Library/Application Support/Google/Chrome/External Extensions/niapdbllcanepiiimjjndipklodoedlc.json
  • /Users/%username%/Library/Safari/Extensions/Yontoo.safariextz

The following files are modified:

  • /Users/%username%/Library/Application Support/FireFox/Profiles/%profilname%/user.js
  • /Users/%username%/Library/Safari/Extensions/Extensions.plist
Other information

OSX/Adware.Yontoo.A is an adware - an application designed for delivery of unsolicited advertisements.

Please enable Javascript to ensure correct displaying of this content and refresh this page.