Threat Encyclopedia

OSX_JAHLAV.I

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Mac OS X

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 

This Trojan may be downloaded unknowingly by a user when visiting malicious websites.

It contains a chain of obfuscated scripts, which when decrypted leads to a Perl script detected by Trend Micro as PERL_JAHLAV.F. The said Perl script sends an HTTP GET request to an IP address to download another malicious Perl script. However, the said site is inaccessible as of this writing.

For additional information about this threat, see:

Description created: Aug. 21, 2009 10:28:54 AM GMT -0800


TECHNICAL DETAILS


File type: Other

Memory resident:  No

Size of malware: 24,367 Bytes

Initial samples received on: Aug 21, 2009

Details:

This Trojan may be downloaded unknowingly by a user when visiting malicious Web site(s).

It may arrive on a system as the file install-Quick.Time.Pro7.50.61.0...Cracked.dmg. It comes as a Mac OS X mountable disk image file that contains INSTALL.PKG installer package file.

The said installer package contains component files and the following malicious scripts, which are also detected by Trend Micro as OSX_JAHLAV.I:

  • preinstall
  • preupgrade

These scripts are obfuscated using SED commands and UUEncode. It copies itself into /Library/Internet Plug-Ins/AdobeFlash and then creates a cron job that enables this malware to execute periodically every five minutes.

It also contains a chain of obfuscated scripts, which when decrypted leads to a Perl script detected by Trend Micro as PERL_JAHLAV.F. The said Perl script sends an HTTP GET request to the following IP address to download another malicious Perl script:

  • {BLOCKED}.{BLOCKED}.121.161/cgi-bin/generator.pl

However the site is inaccessible as of this writing.

This Trojan runs on Mac OS X.


Analysis By: Kathleen Mae Notario

Revision History:

First pattern file version: 6.528.03
First pattern file release date: Oct 10, 2009

SOLUTION


Minimum scan engine version needed: 8.700

Pattern file needed: 6.528.03

Pattern release date: Oct 10, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

 Step 1: Scan your computer with your Trend Micro product to delete files detected as OSX_JAHLAV.I and PERL_JAHLAV.F  

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on